[apparmor] PATCH [2/6] - Fix capability log parsing

[John Johansen]

On 09/09/2010 02:54 PM, Steve Beattie wrote:
> On Thu, Sep 09, 2010 at 08:34:40AM -0700, John Johansen wrote:
>> The capability operation picked up the capability and capname fields.
>> capability is reported by LSM_AUDIT and is just the capability number.
>> capname is reported by the apparmor module and is the name the kernel
>> knows the capability as.
>>
>> For now just use capname and silently drop capability when it is found.
> 
> ACK from me for 2.5.1. Here is a testcase for this issue (the
> libapparmor testsuite already has an old style capability testcase):
> 
> 
ACK on the test

> === added file 'libraries/libapparmor/testsuite/test_multi/testcase_syslog_capability.err'
> === added file 'libraries/libapparmor/testsuite/test_multi/testcase_syslog_capability.in'
> --- libraries/libapparmor/testsuite/test_multi/testcase_syslog_capability.in	1970-01-01 00:00:00 +0000
> +++ libraries/libapparmor/testsuite/test_multi/testcase_syslog_capability.in	2010-09-09 20:51:36 +0000
> @@ -0,0 +1,1 @@
> +Sep  9 12:51:50 ubuntu-desktop kernel: [ 1612.746129] type=1400 audit(1284061910.975:672): apparmor="DENIED" operation="capable" parent=2663 profile="/home/ubuntu/bzr/apparmor/tests/regression/apparmor/syscall_setpriority" pid=7292 comm="syscall_setprio" capability=23  capname="sys_nice"
> 
> === added file 'libraries/libapparmor/testsuite/test_multi/testcase_syslog_capability.out'
> --- libraries/libapparmor/testsuite/test_multi/testcase_syslog_capability.out	1970-01-01 00:00:00 +0000
> +++ libraries/libapparmor/testsuite/test_multi/testcase_syslog_capability.out	2010-09-09 21:49:33 +0000
> @@ -0,0 +1,12 @@
> +START
> +File: test_multi/testcase_syslog_capability.in
> +Event type: AA_RECORD_DENIED
> +Audit ID: 1284061910.975:672
> +Operation: capable
> +Profile: /home/ubuntu/bzr/apparmor/tests/regression/apparmor/syscall_setpriority
> +Name: sys_nice
> +Command: syscall_setprio
> +Parent: 2663
> +PID: 7292
> +Epoch: 1284061910
> +Audit subid: 672
>