-
Christian Boltz authored
Hasher causes some fun in aa-mergeprof: If the profile in /etc/apparmor.d/ has a hat or subprofile that doesn't exist in the to-be-merged profile, aa-mergeprof crashes. This is caused by reading self.other.aa[program][hat]['include'] which accidently "creates" that profile inside the aa hasher as empty hasher (instead of ProfileStorage). Later, the code loops over self.other.aa[profile].keys(), expects everything to be ProfileStorage, and explodes [1] when for example trying to run .delete_duplicates on the hasher (which obviously doesn't provide this method). This patch adds checks to all self.other.aa accesses in CleanProf.remove_duplicate_rules() to avoid accidently creating new keys in the hasher. Interestingly this bug survived unnoticed for years (at least since 2.11). [1] last lines of the backtrace: File ".../utils/apparmor/cleanprofile.py", line 42, in compare_profiles deleted += self.remove_duplicate_rules(profile) File ".../utils/apparmor/cleanprofile.py", line 65, in remove_duplicate_rules deleted += apparmor.delete_duplicates(self.other.aa[program][hat], inc) File ".../utils/apparmor/aa.py", line 1680, in delete_duplicates deleted += profile[rule_type].delete_duplicates(include[incname][incname][rule_type]) AttributeError: 'collections.defaultdict' object has no attribute 'delete_duplicates'