[apparmor] [patch] [9/9] Add support for dbus events to aa-logprof

Christian Boltz apparmor at cboltz.de
Sun Dec 27 15:13:15 UTC 2015 

Hello,

$subject.

In detail, this means:
- handle ptrace events in logparser.py
- "translate" those events in aa.py - from log (logparser.py readlog())
  to prelog (handle_children()) to log_dict (collapse_log()))
- finally ask the user about the ptrace in ask_the_questions()
  (no code change needed there)

Note that these changes are not covered by tests, however they worked in
a manual test with the log examples in the libapparmor testsuite.
Unfortunately there's no example log for eavesdrop, so it might be a
good idea to a) add such a log line and b) test with it



[ 60-add-logprof-support-for-dbus-events.diff ]

=== modified file ./utils/apparmor/aa.py
--- utils/apparmor/aa.py        2015-12-27 13:13:48.245063269 +0100
+++ utils/apparmor/aa.py        2015-12-27 15:06:10.149844921 +0100
@@ -1155,6 +1155,16 @@
                     continue
                 prelog[aamode][profile][hat]['capability'][capability] = True
 
+            elif typ == 'dbus':
+                # If dbus then we (should) have pid, profile, hat, program, mode, access, bus, name, path, interface, member, peer_profile
+                pid, p, h, prog, aamode, access, bus, path, name, interface, member, peer_profile = entry
+                if not regex_nullcomplain.search(p) and not regex_nullcomplain.search(h):
+                    profile = p
+                    hat = h
+                if not profile or not hat:
+                    continue
+                prelog[aamode][profile][hat]['dbus'][access][bus][path][name][interface][member][peer_profile] = True
+
             elif typ == 'ptrace':
                 # If ptrace then we (should) have pid, profile, hat, program, mode, access and peer
                 pid, p, h, prog, aamode, access, peer = entry
@@ -2489,6 +2499,28 @@
                     if not is_known_rule(aa[profile][hat], 'capability', cap_event):
                         log_dict[aamode][profile][hat]['capability'].add(cap_event)
 
+                dbus = prelog[aamode][profile][hat]['dbus']
+                for access in                               dbus:
+                    for bus in                              dbus[access]:
+                        for path in                         dbus[access][bus]:
+                            for name in                     dbus[access][bus][path]:
+                                for interface in            dbus[access][bus][path][name]:
+                                    for member in           dbus[access][bus][path][name][interface]:
+                                        for peer_profile in dbus[access][bus][path][name][interface][member]:
+                                            # Depending on the access type, not all parameters are allowed.
+                                            # Ignore them, even if some of them appear in the log.
+                                            # Also, the log doesn't provide a peer label, therefore always use ALL.
+                                            if access in ['send', 'receive']:
+                                                dbus_event = DbusRule(access, bus, path,            DbusRule.ALL,   interface,   member,        peer_profile,   DbusRule.ALL, log_event=True)
+                                            elif access == 'bind':
+                                                dbus_event = DbusRule(access, bus, DbusRule.ALL,    name,           DbusRule.ALL, DbusRule.ALL, DbusRule.ALL,   DbusRule.ALL, log_event=True)
+                                            elif access == 'eavesdrop':
+                                                dbus_event = DbusRule(access, bus, DbusRule.ALL,    DbusRule.ALL,   DbusRule.ALL, DbusRule.ALL, DbusRule.ALL,   DbusRule.ALL, log_event=True)
+                                            else:
+                                                raise AppArmorBug('unexpected dbus access: %s')
+
+                                            log_dict[aamode][profile][hat]['dbus'].add(dbus_event)
+
                 nd = prelog[aamode][profile][hat]['netdomain']
                 for family in nd.keys():
                     for sock_type in nd[family].keys():
=== modified file ./utils/apparmor/logparser.py
--- utils/apparmor/logparser.py 2015-12-27 13:13:48.245063269 +0100
+++ utils/apparmor/logparser.py 2015-12-27 15:08:57.024735157 +0100
@@ -377,6 +377,9 @@
         elif e['operation'] == 'signal':
             return(e['pid'], e['parent'], 'signal',
                              [profile, hat, prog, aamode, e['denied_mask'], e['signal'], e['peer']])
+        elif e['operation'].startswith('dbus_'):
+            return(e['pid'], e['parent'], 'dbus',
+                             [profile, hat, prog, aamode, e['denied_mask'], e['bus'], e['path'], e['name'], e['interface'], e['member'], e['peer_profile']])
         else:
             self.debug_logger.debug('UNHANDLED: %s' % e)
 


Regards,

Christian Boltz
-- 
programmers' biggest strength is that they're lazy bastards.
[Claudio Freire in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151227/df61c42c/attachment-0001.pgp>

More information about the AppArmor mailing list