[apparmor] [patch] let logparser.py ignore file_inherit events without request_mask
Kshitij Gupta
kgupta8592 at gmail.com
Wed Oct 28 19:46:04 UTC 2015
Hi,
On Fri, Oct 23, 2015 at 3:31 PM, Christian Boltz <apparmor at cboltz.de> wrote:
> Hello,
>
> $subject.
>
> That's not nice, but still better than a crash ;-)
>
> References: https://bugs.launchpad.net/apparmor/+bug/1466812/
>
>
> I propose this patch for trunk and 2.9
>
>
> BTW: when I test the log entry
> Oct 22 15:57:38 NR021AA kernel: [ 69.827705] audit: type=1400
> audit(1445522258.769:1054): apparmor="DENIED" operation="file_inherit"
> profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2407
> comm="nm-dhcp-client." lport=10580 family="inet6" sock_type="dgram"
> protocol=17
> with test_multi.multi, it tells me
> Event type: AA_RECORD_INVALID
>
> Is that really the expected result?
>
I'll let someone else take a stab at answering this.
>
>
>
> [ 04-logparser-file_inherit.diff ]
>
> === modified file 'utils/apparmor/logparser.py'
> --- utils/apparmor/logparser.py 2015-10-03 18:18:54 +0000
> +++ utils/apparmor/logparser.py 2015-10-23 09:41:49 +0000
> @@ -282,8 +286,9 @@
> 'rename_dest', 'unlink', 'rmdir',
> 'symlink_create', 'link',
> 'sysctl', 'getattr', 'setattr', 'xattr']
> ):
>
> - # for some reason, we get file_perm log events without
> request_mask, see https://bugs.launchpad.net/apparmor/+bug/1466812/
> - if e['operation'] == 'file_perm' and e['request_mask'] is
> None:
> + # for some reason, we get file_perm and file_inherit log
> events without request_mask, see
> + # https://bugs.launchpad.net/apparmor/+bug/1466812/ and
> https://bugs.launchpad.net/apparmor/+bug/1509030
> + if e['operation'] in ['file_perm', 'file_inherit'] and
> e['request_mask'] is None:
> self.debug_logger.debug('UNHANDLED (missing
> request_mask): %s' % e)
> return None
>
> Ideally we should have: STRANGE_OPERATIONS_WITHOUT_MASKS = ['file_perm',
'file_inherit']
(I thought of calling it *Stanley Ipkiss*[1], but am open to other options
too.)
followed by: if e['operation'] in STRANGE_OPERATIONS_WITHOUT_MASKS and
e['request_mask'] is None.
With/without the change.
Thanks for the patch.
Acked-by: Kshitij Gupta <kgupta8592 at gmail.com>.
[1]: http://the-mask.wikia.com/wiki/Stanley_Ipkiss
>
> Regards,
>
> Christian Boltz
> --
> In /etc steht, was Du denkst. In /proc steht, was das OS denkt.
> [Thomas Blum in doc]
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
>
--
Regards,
Kshitij Gupta
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151029/c8dd8f4a/attachment.html>
More information about the AppArmor
mailing list