[apparmor] PATCH [2/6] - Fix capability log parsing
John Johansen
john.johansen at canonical.com
Fri Sep 10 00:43:20 BST 2010
On 09/09/2010 02:54 PM, Steve Beattie wrote:
> On Thu, Sep 09, 2010 at 08:34:40AM -0700, John Johansen wrote:
>> The capability operation picked up the capability and capname fields.
>> capability is reported by LSM_AUDIT and is just the capability number.
>> capname is reported by the apparmor module and is the name the kernel
>> knows the capability as.
>>
>> For now just use capname and silently drop capability when it is found.
>
> ACK from me for 2.5.1. Here is a testcase for this issue (the
> libapparmor testsuite already has an old style capability testcase):
>
>
ACK on the test
> === added file 'libraries/libapparmor/testsuite/test_multi/testcase_syslog_capability.err'
> === added file 'libraries/libapparmor/testsuite/test_multi/testcase_syslog_capability.in'
> --- libraries/libapparmor/testsuite/test_multi/testcase_syslog_capability.in 1970-01-01 00:00:00 +0000
> +++ libraries/libapparmor/testsuite/test_multi/testcase_syslog_capability.in 2010-09-09 20:51:36 +0000
> @@ -0,0 +1,1 @@
> +Sep 9 12:51:50 ubuntu-desktop kernel: [ 1612.746129] type=1400 audit(1284061910.975:672): apparmor="DENIED" operation="capable" parent=2663 profile="/home/ubuntu/bzr/apparmor/tests/regression/apparmor/syscall_setpriority" pid=7292 comm="syscall_setprio" capability=23 capname="sys_nice"
>
> === added file 'libraries/libapparmor/testsuite/test_multi/testcase_syslog_capability.out'
> --- libraries/libapparmor/testsuite/test_multi/testcase_syslog_capability.out 1970-01-01 00:00:00 +0000
> +++ libraries/libapparmor/testsuite/test_multi/testcase_syslog_capability.out 2010-09-09 21:49:33 +0000
> @@ -0,0 +1,12 @@
> +START
> +File: test_multi/testcase_syslog_capability.in
> +Event type: AA_RECORD_DENIED
> +Audit ID: 1284061910.975:672
> +Operation: capable
> +Profile: /home/ubuntu/bzr/apparmor/tests/regression/apparmor/syscall_setpriority
> +Name: sys_nice
> +Command: syscall_setprio
> +Parent: 2663
> +PID: 7292
> +Epoch: 1284061910
> +Audit subid: 672
>
More information about the AppArmor
mailing list