[apparmor] [patch] [7/7] Add support for ptrace log events to aa-logprof
Christian Boltz
apparmor at cboltz.de
Tue Dec 8 19:40:24 UTC 2015
Hello,
$subject.
In detail, this means:
- handle ptrace events in logparser.py
- "translate" those events in aa.py - from log (logparser.py readlog())
to prelog (handle_children()) to log_dict (collapse_log()) to
log_obj (ask_the_questions())
(yes, really! :-/ - needless to say that this is ugly...) [1]
- finally ask the user about the ptrace in ask_the_questions()
Also add a logparser test to test-ptrace.py to ensure the logparser step
works as expected.
Note that the aa.py changes are not covered by tests, however they
worked in a manual test.
If you want to test manually, try this (faked) log line:
msg=audit(1409700683.304:547661): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/smbd" pid=22465 comm="ptrace" requested_mask="trace" denied_mask="trace" peer="/foo/bar"
[ 34-add-ptrace-support-to-logprof.diff ]
=== modified file ./utils/apparmor/aa.py
--- utils/apparmor/aa.py 2015-12-08 19:02:56.576044028 +0100
+++ utils/apparmor/aa.py 2015-12-08 19:20:49.530494937 +0100
@@ -1157,6 +1157,16 @@
continue
prelog[aamode][profile][hat]['capability'][capability] = True
+ elif typ == 'ptrace':
+ # If ptrace then we (should) have pid, profile, hat, program, mode, access and peer
+ pid, p, h, prog, aamode, access, peer = entry
+ if not regex_nullcomplain.search(p) and not regex_nullcomplain.search(h):
+ profile = p
+ hat = h
+ if not profile or not hat:
+ continue
+ prelog[aamode][profile][hat]['ptrace'][peer][access] = True
+
elif typ == 'signal':
# If signal then we (should) have pid, profile, hat, program, mode, access, signal and peer
pid, p, h, prog, aamode, access, signal, peer = entry
@@ -1672,6 +1682,11 @@
log_obj[profile][hat]['network'].add(network_obj)
+ for peer in sorted(log_dict[aamode][profile][hat]['ptrace'].keys()):
+ for access in sorted(log_dict[aamode][profile][hat]['ptrace'][peer].keys()):
+ ptrace_obj = PtraceRule(access, peer, log_event=aamode)
+ log_obj[profile][hat]['ptrace'].add(ptrace_obj)
+
for peer in sorted(log_dict[aamode][profile][hat]['signal'].keys()):
for access in sorted(log_dict[aamode][profile][hat]['signal'][peer].keys()):
for signal in sorted(log_dict[aamode][profile][hat]['signal'][peer][access].keys()):
@@ -2503,6 +2518,12 @@
if not is_known_rule(aa[profile][hat], 'network', NetworkRule(family, sock_type)):
log_dict[aamode][profile][hat]['netdomain'][family][sock_type] = True
+ ptrace = prelog[aamode][profile][hat]['ptrace']
+ for peer in ptrace.keys():
+ for access in ptrace[peer].keys():
+ if not is_known_rule(aa[profile][hat], 'ptrace', PtraceRule(access, peer)):
+ log_dict[aamode][profile][hat]['ptrace'][peer][access] = True
+
sig = prelog[aamode][profile][hat]['signal']
for peer in sig.keys():
for access in sig[peer].keys():
=== modified file ./utils/apparmor/logparser.py
--- utils/apparmor/logparser.py 2015-12-06 19:36:00.814745352 +0100
+++ utils/apparmor/logparser.py 2015-12-08 19:18:21.191439433 +0100
@@ -362,6 +362,9 @@
elif e['operation'] == 'change_hat':
return(e['pid'], e['parent'], 'unknown_hat',
[profile, hat, aamode, hat])
+ elif e['operation'] == 'ptrace':
+ return(e['pid'], e['parent'], 'ptrace',
+ [profile, hat, prog, aamode, e['denied_mask'], e['peer']])
elif e['operation'] == 'signal':
return(e['pid'], e['parent'], 'signal',
[profile, hat, prog, aamode, e['denied_mask'], e['signal'], e['peer']])
Regards,
Christian Boltz
[1] I already said that when adding signal support, and making it less
ugly is on my TODO list ;-)
--
>> Wie gesagt, es gibt Gründe für Exchange, die Wartung ist halt
>> aufwendiger.
> Nöööö nicht wirklich Gründe *ggg
Ich schick dir mal unsere Verwaltungs-Damen. Ich bin gespannt wie du
deine Sichtweise anbringst. Ich bringe Popcorn mit ;)
[> Uwe Drießen und (>>) Björn Meier in postfixbuch-users]
More information about the AppArmor
mailing list