[apparmor] [patch] Set log_event flag in collapse_log()
John Johansen
john.johansen at canonical.com
Sat Dec 12 06:12:31 UTC 2015
On 12/10/2015 04:35 AM, Christian Boltz wrote:
> Hello,
>
> collapse_log() creates temporary SignalRule etc. objects which are then
> checked against the existing profile content.
>
> These temporary objects are based on log events, therefore flag them as
> such. This will ensure proper handling and escaping by the AARE class.
>
>
Acked-by: John Johansen <john.johansen at canonical.com>
> [ 36-collapse-log-set-log_event.diff ]
>
> === modified file ./utils/apparmor/aa.py
> --- utils/apparmor/aa.py 2015-12-08 19:30:43.210864711 +0100
> +++ utils/apparmor/aa.py 2015-12-10 12:38:08.008844270 +0100
> @@ -2509,26 +2509,26 @@
> for cap in prelog[aamode][profile][hat]['capability'].keys():
> # If capability not already in profile
> # XXX remove first check when we have proper profile initialisation
> - if aa[profile][hat].get('capability', False) and not aa[profile][hat]['capability'].is_covered(CapabilityRule(cap)):
> + if aa[profile][hat].get('capability', False) and not aa[profile][hat]['capability'].is_covered(CapabilityRule(cap, log_event=True)):
> log_dict[aamode][profile][hat]['capability'][cap] = True
>
> nd = prelog[aamode][profile][hat]['netdomain']
> for family in nd.keys():
> for sock_type in nd[family].keys():
> - if not is_known_rule(aa[profile][hat], 'network', NetworkRule(family, sock_type)):
> + if not is_known_rule(aa[profile][hat], 'network', NetworkRule(family, sock_type, log_event=True)):
> log_dict[aamode][profile][hat]['netdomain'][family][sock_type] = True
>
> ptrace = prelog[aamode][profile][hat]['ptrace']
> for peer in ptrace.keys():
> for access in ptrace[peer].keys():
> - if not is_known_rule(aa[profile][hat], 'ptrace', PtraceRule(access, peer)):
> + if not is_known_rule(aa[profile][hat], 'ptrace', PtraceRule(access, peer, log_event=True)):
> log_dict[aamode][profile][hat]['ptrace'][peer][access] = True
>
> sig = prelog[aamode][profile][hat]['signal']
> for peer in sig.keys():
> for access in sig[peer].keys():
> for signal in sig[peer][access].keys():
> - if not is_known_rule(aa[profile][hat], 'signal', SignalRule(access, signal, peer)):
> + if not is_known_rule(aa[profile][hat], 'signal', SignalRule(access, signal, peer, log_event=True)):
> log_dict[aamode][profile][hat]['signal'][peer][access][signal] = True
>
>
>
>
> Regards,
>
> Christian Boltz
>
More information about the AppArmor
mailing list