[apparmor] [patch] Fix handling of link events in aa-logprof
Christian Boltz
apparmor at cboltz.de
Thu Jan 7 19:53:11 UTC 2016
Hello,
handle_children() has some special code for handling link events with
denied_mask = 'l'. Unfortunately this special code depends on a regex
that matches the old, obsolete log format - in a not really parsed
format ("^from .* to .*$").
The result was that aa-logprof did not ask about events containing 'l'
in denied_mask.
Fortunately the fix is easy - delete the code with the special handling
for 'l' events, and the remaining code that handles other file
permissions just works :-)
References: Bugreport by pfak on IRC
Testcase (with hand-tuned log event):
aa-logprof -f <( echo 'Jan 7 03:11:24 mail kernel: [191223.562261] type=1400 audit(1452136284.727:344): apparmor="ALLOWED" operation="link" profile="/usr/sbin/smbd" name="/foo" pid=10262 comm=616D617669736420286368362D3130 requested_mask="l" denied_mask="l" fsuid=110 ouid=110 target="/bar"')
should ask to add '/foo l,' to the profile.
I propose this patch for trunk, 2.10 and 2.9.
[ 63-fix-landling-of-link-events.diff ]
=== modified file ./utils/apparmor/aa.py
--- utils/apparmor/aa.py 2016-01-07 20:20:08.794298255 +0100
+++ utils/apparmor/aa.py 2016-01-07 20:20:39.186120312 +0100
@@ -1218,25 +1218,7 @@
else:
do_execute = True
- if mode & apparmor.aamode.AA_MAY_LINK:
- regex_link = re.compile('^from (.+) to (.+)$')
- match = regex_link.search(detail)
- if match:
- path = match.groups()[0]
- target = match.groups()[1]
-
- frommode = str_to_mode('lr')
- if prelog[aamode][profile][hat]['path'].get(path, False):
- frommode |= prelog[aamode][profile][hat]['path'][path]
- prelog[aamode][profile][hat]['path'][path] = frommode
-
- tomode = str_to_mode('lr')
- if prelog[aamode][profile][hat]['path'].get(target, False):
- tomode |= prelog[aamode][profile][hat]['path'][target]
- prelog[aamode][profile][hat]['path'][target] = tomode
- else:
- continue
- elif mode:
+ if mode:
path = detail
if prelog[aamode][profile][hat]['path'].get(path, False):
Regards,
Christian Boltz
--
Untersuchungen, wie viele der "RSS ist tot"-Blogbeiträge per Newsfeed
gelesen worden sind, sind uns nicht bekannt.
[http://www.heise.de/newsticker/meldung/Facebook-Twitter-und-der-Tod-von-RSS-1240619.html]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160107/3117b156/attachment.pgp>
More information about the AppArmor
mailing list