[apparmor] [patch] Fix logparser.py crash on change_hat events

John Johansen john.johansen at canonical.com
Sat Dec 12 06:16:24 UTC 2015 

On 12/08/2015 01:40 PM, Christian Boltz wrote:
> Hello,
> 
> 'change_hat' events have the target profile in 'name2', not in 'name'
> (which is None and therefore causes a crash when checking if it contains
> '//')
> 
> Also add the log event causing this crash to the libapparmor testsuite.
> 
> References: https://bugs.launchpad.net/apparmor/+bug/1523297
> 
> 
> I propose this patch for trunk, 2.10 and 2.9.
> 
> 
Acked-by: John Johansen <john.johansen at canonical.com>

> [ 35-logparser-fix-change_hat-crash.diff ]
> 
> === modified file ./utils/apparmor/logparser.py
> --- utils/apparmor/logparser.py 2015-12-08 19:30:43.210864711 +0100
> +++ utils/apparmor/logparser.py 2015-12-08 22:32:35.942935356 +0100
> @@ -260,10 +260,10 @@
>          if e['operation'] == 'change_hat':
>              if aamode != 'HINT' and aamode != 'PERMITTING':
>                  return None
> -            profile = e['name']
> +            profile = e['name2']
>              #hat = None
> -            if '//' in e['name']:
> -                profile, hat = e['name'].split('//')[:2]
> +            if '//' in e['name2']:
> +                profile, hat = e['name2'].split('//')[:2]
>  
>          if not hat:
>              hat = profile
> === added file ./libraries/libapparmor/testsuite/test_multi/testcase_changehat_01.in
> --- libraries/libapparmor/testsuite/test_multi/testcase_changehat_01.in 2015-12-08 22:37:50.613264112 +0100
> +++ libraries/libapparmor/testsuite/test_multi/testcase_changehat_01.in 2015-12-08 22:04:34.079794942 +0100
> @@ -0,0 +1 @@
> +type=AVC msg=audit(1449442292.901:961): apparmor="ALLOWED" operation="change_hat" profile="/usr/sbin/httpd{,2}-prefork" pid=8527 comm="httpd-prefork" target="/usr/sbin/httpd{,2}-prefork//HANDLING_UNTRUSTED_INPUT"
> === added file ./libraries/libapparmor/testsuite/test_multi/testcase_changehat_01.out
> --- libraries/libapparmor/testsuite/test_multi/testcase_changehat_01.out        2015-12-08 22:37:52.369254773 +0100
> +++ libraries/libapparmor/testsuite/test_multi/testcase_changehat_01.out        2015-12-08 22:04:52.459698695 +0100
> @@ -0,0 +1,11 @@
> +START
> +File: testcase_changehat_01.in
> +Event type: AA_RECORD_ALLOWED
> +Audit ID: 1449442292.901:961
> +Operation: change_hat
> +Profile: /usr/sbin/httpd{,2}-prefork
> +Command: httpd-prefork
> +Name2: /usr/sbin/httpd{,2}-prefork//HANDLING_UNTRUSTED_INPUT
> +PID: 8527
> +Epoch: 1449442292
> +Audit subid: 961
> 
> 
> Regards,
> 
> Christian Boltz
>

More information about the AppArmor mailing list