[apparmor] [PATCH] utils: Ignore unsupported log events
John Johansen
john.johansen at canonical.com
Tue Oct 29 22:06:39 UTC 2013
On 10/25/2013 08:48 PM, Tyler Hicks wrote:
> The log parsing in the Immunix::AppArmor perl module has fallen behind
> when it comes to audit events from some of the newer rule types
> supported by apparmor_parser.
>
> When an unsupported event is found, it causes aa-logprof to error out.
> This patch creates a list of valid, but unsupported, event operations
> that should be ignored by the perl module when parsing logs.
>
> https://launchpad.net/bugs/1243932
>
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Acked-by: John Johansen <john.johansen at canonical.com>
> ---
> utils/Immunix/AppArmor.pm | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/utils/Immunix/AppArmor.pm b/utils/Immunix/AppArmor.pm
> index 01b82c8..23c2a1a 100755
> --- a/utils/Immunix/AppArmor.pm
> +++ b/utils/Immunix/AppArmor.pm
> @@ -6714,6 +6714,11 @@ sub parse_event($) {
>
> LibAppArmor::free_record($event);
>
> + if ($ev{'operation'} && $ev{'operation'} =~ /^(capable|dbus|mount|pivotroot|umount)/) {
> + $DEBUGGING && debug("parser_event: previous event IGNORED");
> + return( undef );
> + }
> +
> #map new c and d to w as logprof doesn't support them yet
> if ($rmask) {
> $rmask =~ s/c/w/g;
>
More information about the AppArmor
mailing list