[apparmor] PATCH [2/6] - Fix capability log parsing

Steve Beattie steve at nxnw.org
Thu Sep 9 22:54:27 BST 2010 

On Thu, Sep 09, 2010 at 08:34:40AM -0700, John Johansen wrote:
> The capability operation picked up the capability and capname fields.
> capability is reported by LSM_AUDIT and is just the capability number.
> capname is reported by the apparmor module and is the name the kernel
> knows the capability as.
> 
> For now just use capname and silently drop capability when it is found.

ACK from me for 2.5.1. Here is a testcase for this issue (the
libapparmor testsuite already has an old style capability testcase):


=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_syslog_capability.err'
=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_syslog_capability.in'
--- libraries/libapparmor/testsuite/test_multi/testcase_syslog_capability.in	1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/testcase_syslog_capability.in	2010-09-09 20:51:36 +0000
@@ -0,0 +1,1 @@
+Sep  9 12:51:50 ubuntu-desktop kernel: [ 1612.746129] type=1400 audit(1284061910.975:672): apparmor="DENIED" operation="capable" parent=2663 profile="/home/ubuntu/bzr/apparmor/tests/regression/apparmor/syscall_setpriority" pid=7292 comm="syscall_setprio" capability=23  capname="sys_nice"

=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_syslog_capability.out'
--- libraries/libapparmor/testsuite/test_multi/testcase_syslog_capability.out	1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/testcase_syslog_capability.out	2010-09-09 21:49:33 +0000
@@ -0,0 +1,12 @@
+START
+File: test_multi/testcase_syslog_capability.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1284061910.975:672
+Operation: capable
+Profile: /home/ubuntu/bzr/apparmor/tests/regression/apparmor/syscall_setpriority
+Name: sys_nice
+Command: syscall_setprio
+Parent: 2663
+PID: 7292
+Epoch: 1284061910
+Audit subid: 672


-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/apparmor/attachments/20100909/50e27271/attachment.pgp

More information about the AppArmor mailing list