[apparmor] [patch] Set log_event flag in collapse_log()

John Johansen john.johansen at canonical.com
Sat Dec 12 06:12:31 UTC 2015


On 12/10/2015 04:35 AM, Christian Boltz wrote:
> Hello,
> 
> collapse_log() creates temporary SignalRule etc. objects which are then
> checked against the existing profile content.
> 
> These temporary objects are based on log events, therefore flag them as
> such. This will ensure proper handling and escaping by the AARE class.
> 
> 
Acked-by: John Johansen <john.johansen at canonical.com>

> [ 36-collapse-log-set-log_event.diff ]
> 
> === modified file ./utils/apparmor/aa.py
> --- utils/apparmor/aa.py        2015-12-08 19:30:43.210864711 +0100
> +++ utils/apparmor/aa.py        2015-12-10 12:38:08.008844270 +0100
> @@ -2509,26 +2509,26 @@
>                  for cap in prelog[aamode][profile][hat]['capability'].keys():
>                      # If capability not already in profile
>                      # XXX remove first check when we have proper profile initialisation
> -                    if aa[profile][hat].get('capability', False) and not aa[profile][hat]['capability'].is_covered(CapabilityRule(cap)):
> +                    if aa[profile][hat].get('capability', False) and not aa[profile][hat]['capability'].is_covered(CapabilityRule(cap, log_event=True)):
>                          log_dict[aamode][profile][hat]['capability'][cap] = True
>  
>                  nd = prelog[aamode][profile][hat]['netdomain']
>                  for family in nd.keys():
>                      for sock_type in nd[family].keys():
> -                        if not is_known_rule(aa[profile][hat], 'network', NetworkRule(family, sock_type)):
> +                        if not is_known_rule(aa[profile][hat], 'network', NetworkRule(family, sock_type, log_event=True)):
>                              log_dict[aamode][profile][hat]['netdomain'][family][sock_type] = True
>  
>                  ptrace = prelog[aamode][profile][hat]['ptrace']
>                  for peer in ptrace.keys():
>                      for access in ptrace[peer].keys():
> -                        if not is_known_rule(aa[profile][hat], 'ptrace', PtraceRule(access, peer)):
> +                        if not is_known_rule(aa[profile][hat], 'ptrace', PtraceRule(access, peer, log_event=True)):
>                              log_dict[aamode][profile][hat]['ptrace'][peer][access] = True
>  
>                  sig = prelog[aamode][profile][hat]['signal']
>                  for peer in sig.keys():
>                      for access in sig[peer].keys():
>                          for signal in sig[peer][access].keys():
> -                            if not is_known_rule(aa[profile][hat], 'signal', SignalRule(access, signal, peer)):
> +                            if not is_known_rule(aa[profile][hat], 'signal', SignalRule(access, signal, peer, log_event=True)):
>                                  log_dict[aamode][profile][hat]['signal'][peer][access][signal] = True
>  
>  
> 
> 
> Regards,
> 
> Christian Boltz
> 




More information about the AppArmor mailing list