Commit 7e84f4ef authored by Christian Boltz's avatar Christian Boltz

If a filename mentioned in audit.log contains an @, aa-logprof crashes with

  ...
  File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/severity.py", line 147, in handle_variable_rank
      variable = regex_variable.search(resource).groups()[0]
	  AttributeError: 'NoneType' object has no attribute 'groups'

handle_variable_rank() checked with   if '@' in resource:
and if it finds it, expects it can match a variable, which means   @{.....}
If a filename contains a   @   this fails.

The patch fixes the if condition so that it does a regex match.

It also adds two testcases for filenames containing @ to make sure they
don't cause a crash and result in the exptected severity rank.


Acked-by: Steve Beattie <steve@nxnw.org> 
parent 9a960a22
......@@ -143,9 +143,9 @@ class Severity(object):
"""Returns the max possible rank for file resources containing variables"""
regex_variable = re.compile('@{([^{.]*)}')
rank = None
if '@' in resource:
variable = regex_variable.search(resource).groups()[0]
variable = '@{%s}' % variable
matches = regex_variable.search(resource)
if matches:
variable = '@{%s}' % matches.groups()[0]
#variables = regex_variable.findall(resource)
for replacement in self.severity['VARIABLES'][variable]:
resource_replaced = self.variable_replace(variable, replacement, resource)
......
......@@ -52,6 +52,8 @@ class Test(unittest.TestCase):
self.assertEqual(rank, 9, 'Wrong rank')
self.assertEqual(sev_db.rank('/etc/apparmor/**', 'r') , 6, 'Invalid Rank')
self.assertEqual(sev_db.rank('/etc/**', 'r') , 10, 'Invalid Rank')
self.assertEqual(sev_db.rank('/usr/foo@bar', 'r') , 10, 'Invalid Rank') ## filename containing @
self.assertEqual(sev_db.rank('/home/foo@bar', 'rw') , 6, 'Invalid Rank') ## filename containing @
# Load all variables for /sbin/klogd and test them
sev_db.load_variables('profiles/sbin.klogd')
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment