[apparmor] [patch] Fix handling of link events in aa-logprof

Christian Boltz apparmor at cboltz.de
Thu Jan 7 19:53:11 UTC 2016 

Hello,

handle_children() has some special code for handling link events with
denied_mask = 'l'. Unfortunately this special code depends on a regex
that matches the old, obsolete log format - in a not really parsed
format ("^from .* to .*$").

The result was that aa-logprof did not ask about events containing 'l' 
in denied_mask.

Fortunately the fix is easy - delete the code with the special handling
for 'l' events, and the remaining code that handles other file
permissions just works :-)


References: Bugreport by pfak on IRC


Testcase (with hand-tuned log event):

    aa-logprof -f <( echo 'Jan  7 03:11:24 mail kernel: [191223.562261] type=1400 audit(1452136284.727:344): apparmor="ALLOWED" operation="link" profile="/usr/sbin/smbd" name="/foo" pid=10262 comm=616D617669736420286368362D3130 requested_mask="l" denied_mask="l" fsuid=110 ouid=110 target="/bar"')

should ask to add '/foo l,' to the profile.



I propose this patch for trunk, 2.10 and 2.9.


[ 63-fix-landling-of-link-events.diff ]

=== modified file ./utils/apparmor/aa.py
--- utils/apparmor/aa.py        2016-01-07 20:20:08.794298255 +0100
+++ utils/apparmor/aa.py        2016-01-07 20:20:39.186120312 +0100
@@ -1218,25 +1218,7 @@
                     else:
                         do_execute = True
 
-                if mode & apparmor.aamode.AA_MAY_LINK:
-                    regex_link = re.compile('^from (.+) to (.+)$')
-                    match = regex_link.search(detail)
-                    if match:
-                        path = match.groups()[0]
-                        target = match.groups()[1]
-
-                        frommode = str_to_mode('lr')
-                        if prelog[aamode][profile][hat]['path'].get(path, False):
-                            frommode |= prelog[aamode][profile][hat]['path'][path]
-                        prelog[aamode][profile][hat]['path'][path] = frommode
-
-                        tomode = str_to_mode('lr')
-                        if prelog[aamode][profile][hat]['path'].get(target, False):
-                            tomode |= prelog[aamode][profile][hat]['path'][target]
-                        prelog[aamode][profile][hat]['path'][target] = tomode
-                    else:
-                        continue
-                elif mode:
+                if mode:
                     path = detail
 
                     if prelog[aamode][profile][hat]['path'].get(path, False):


Regards,

Christian Boltz
-- 
Untersuchungen, wie viele der "RSS ist tot"-Blogbeiträge per Newsfeed
gelesen worden sind, sind uns nicht bekannt.
[http://www.heise.de/newsticker/meldung/Facebook-Twitter-und-der-Tod-von-RSS-1240619.html]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160107/3117b156/attachment.pgp>

More information about the AppArmor mailing list