AppArmor

aa-cleanprof returns wrong count for deleted rules

Bug #1462794 reported by Kshitij Gupta
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
New
Undecided
Unassigned

Bug Description

aa-cleanprof deletes duplicate rules and imports but the same is not reflected in the output (in both trunk and 2.9).

The tool shows:

Deleted 0 rules.

Whereas upon selecting the [(V)iew Changes] option we can see:

 /usr/sbin/ntpd {
-
- #include <abstractions/xad>
   #include <abstractions/xad>

-
- /etc/ntpd.conf.tmp r,
-
   /etc/ntpd.conf.tmp r,
+
 }

i.e. 1 import and 1 rule was removed by aa-cleanprof

Minimal test profile:

/usr/sbin/ntpd {

  #include <abstractions/xad>
  #include <abstractions/xad>

  /etc/ntpd.conf.tmp r,

  /etc/ntpd.conf.tmp r,
}

Tags: aa-tools
Revision history for this message
Christian Boltz (cboltz) wrote :

That's caused by the fact that the rules are exact duplicates, and how we store them in the aa hasher

For example the two #include lines map to
    aa['/usr/sbin/ntpd']['/usr/sbin/ntpd']['include']['abstractions/xad'] = True
    aa['/usr/sbin/ntpd']['/usr/sbin/ntpd']['include']['abstractions/xad'] = True
so the de-duplication accidently ;-) already happens in parse_profile_data and isn't even recognized as de-duplication.

The same happens for the two identical file rules, except that parsing and storing them is a bit more interesting[tm].

Revision history for this message
Christian Boltz (cboltz) wrote :

This should be fixed for file rules with the FileRule patches I sent to the mailinglist two days ago.

#include lines will still automagically de-duplicate in parse_profile_data().

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.