Check for duplicate profiles

Having two profiles for the same binary is "technically allowed", but it leads to interesting[tm] behaviour because one of them "wins" depending on the load order. To make things even more interesting, the kernel load order can be different from the tools load order, leading to even more fun. Short version: you do _not_ want that situation ;-) This patch adds a duplicate check to attach_profile_data() so that it errors out if it finds duplicate profiles or hats, and lists the profile files that contain them. Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for both trunk and 2.9.
2025-03-04 16:35:02 +01:00 · 2015-08-03 01:17:53 +02:00 · 2015-08-03 01:17:53 +02:00 · c9e16d874e
commit c9e16d874e
parent 426edf3233
1 changed files with 7 additions and 0 deletions
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@ -2512,6 +2512,13 @@ def attach_profile_data(profiles, profile_data):
    # Make deep copy of data to avoid changes to
    # arising due to mutables
    for p in profile_data.keys():
+        if profiles.get(p, False):
+            for hat in profile_data[p].keys():
+                if profiles[p].get(hat, False):
+                    raise AppArmorException(_("Conflicting profiles for %s defined in two files:\n- %s\n- %s") %
+                            # 'filename' is not set for hats, therefore print the filename of the main profile
+                            (combine_name(p, hat), profiles[p][p]['filename'], profile_data[p][p]['filename']))
+
        profiles[p] = deepcopy(profile_data[p])