[apparmor] [patch] Fix logparser.py crash on change_hat events

Christian Boltz apparmor at cboltz.de
Tue Dec 8 21:40:49 UTC 2015 

Hello,

'change_hat' events have the target profile in 'name2', not in 'name'
(which is None and therefore causes a crash when checking if it contains
'//')

Also add the log event causing this crash to the libapparmor testsuite.

References: https://bugs.launchpad.net/apparmor/+bug/1523297


I propose this patch for trunk, 2.10 and 2.9.


[ 35-logparser-fix-change_hat-crash.diff ]

=== modified file ./utils/apparmor/logparser.py
--- utils/apparmor/logparser.py 2015-12-08 19:30:43.210864711 +0100
+++ utils/apparmor/logparser.py 2015-12-08 22:32:35.942935356 +0100
@@ -260,10 +260,10 @@
         if e['operation'] == 'change_hat':
             if aamode != 'HINT' and aamode != 'PERMITTING':
                 return None
-            profile = e['name']
+            profile = e['name2']
             #hat = None
-            if '//' in e['name']:
-                profile, hat = e['name'].split('//')[:2]
+            if '//' in e['name2']:
+                profile, hat = e['name2'].split('//')[:2]
 
         if not hat:
             hat = profile
=== added file ./libraries/libapparmor/testsuite/test_multi/testcase_changehat_01.in
--- libraries/libapparmor/testsuite/test_multi/testcase_changehat_01.in 2015-12-08 22:37:50.613264112 +0100
+++ libraries/libapparmor/testsuite/test_multi/testcase_changehat_01.in 2015-12-08 22:04:34.079794942 +0100
@@ -0,0 +1 @@
+type=AVC msg=audit(1449442292.901:961): apparmor="ALLOWED" operation="change_hat" profile="/usr/sbin/httpd{,2}-prefork" pid=8527 comm="httpd-prefork" target="/usr/sbin/httpd{,2}-prefork//HANDLING_UNTRUSTED_INPUT"
=== added file ./libraries/libapparmor/testsuite/test_multi/testcase_changehat_01.out
--- libraries/libapparmor/testsuite/test_multi/testcase_changehat_01.out        2015-12-08 22:37:52.369254773 +0100
+++ libraries/libapparmor/testsuite/test_multi/testcase_changehat_01.out        2015-12-08 22:04:52.459698695 +0100
@@ -0,0 +1,11 @@
+START
+File: testcase_changehat_01.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1449442292.901:961
+Operation: change_hat
+Profile: /usr/sbin/httpd{,2}-prefork
+Command: httpd-prefork
+Name2: /usr/sbin/httpd{,2}-prefork//HANDLING_UNTRUSTED_INPUT
+PID: 8527
+Epoch: 1449442292
+Audit subid: 961


Regards,

Christian Boltz
-- 
Hm, mich hat Frust in meiner Linuxanfangszeit doch eher beflügelt,
ich hab mir gedacht, dem Schrotthaufen Code zeig ich mal, wer die
Hosen anhat. Wobei, ich zappel wohl hier immer noch eher in einem
Strampelanzug herum ;) [Thorsten von Plotho-Kettner in suse-linux]

More information about the AppArmor mailing list