[apparmor] [patch] logparser.py: ignore network events with 'send receive'

Fri Jul 29 21:06:28 UTC 2016

Hello,

we already ignore network events that look like file events (based on
the operation keyword) if they have a request_mask of 'send' or
'receive' to avoid aa-logprof crashes because of "unknown" permissions.
It turned out that both can happen at once, so we should also ignore
this case.

Also add the now-ignored log event as test_multi testcase.


References: https://bugs.launchpad.net/apparmor/+bug/1577051 #13



I propose this patch for trunk, 2.10 and 2.9.


[ 01-logparser-send-receive.diff ]

--- utils/apparmor/logparser.py 2016-06-05 20:28:24.214423206 +0200
+++ utils/apparmor/logparser.py 2016-07-29 22:56:57.660828070 +0200
@@ -310,7 +310,7 @@
             # sometimes network events come with an e['operation'] that matches the list of file operations
             # see https://bugs.launchpad.net/apparmor/+bug/1577051 and https://bugs.launchpad.net/apparmor/+bug/1582374
             # XXX these events are network events, so we should map them as such
-            if e['request_mask'] in ('send', 'receive'):
+            if 'send' in e['request_mask'] or 'receive' in e['request_mask']:
                 self.debug_logger.debug('UNHANDLED (request_mask is send or receive): %s' % e)
                 return None
 
=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.err'
=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in'
--- libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in 1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in 2016-07-29 20:59:48 +0000
@@ -0,0 +1,1 @@
+Jul 29 11:42:05 files kernel: [483212.877816] audit: type=1400 audit(1469785325.122:21021): apparmor="ALLOWED" operation="file_inherit" profile="/usr/bin/nginx-amplify-agent.py//null-/bin/dash" pid=18239 comm="sh" laddr=192.168.10.3 lport=50758 faddr=54.153.70.241 fport=443 family="inet" sock_type="stream" protocol=6 requested_mask="send receive" denied_mask="send receive"

=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out'
--- libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out        1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out        2016-07-29 21:00:03 +0000
@@ -0,0 +1,19 @@
+START
+File: testcase_network_send_receive.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1469785325.122:21021
+Operation: file_inherit
+Mask: send receive
+Denied Mask: send receive
+Profile: /usr/bin/nginx-amplify-agent.py//null-/bin/dash
+Command: sh
+PID: 18239
+Network family: inet
+Socket type: stream
+Protocol: tcp
+Local addr: 192.168.10.3
+Foreign addr: 54.153.70.241
+Local port: 50758
+Foreign port: 443
+Epoch: 1469785325
+Audit subid: 21021




Regards,

Christian Boltz
-- 
Nun, wenn man so einen schwachen Rechner hat, kann man halt nur
einen von beiden zur Zeit laufen lassen. Man braucht trotzdem beide.
Der Elektroherd wird sich ja auch nicht, blos weil nur eine
Steckdose da ist, erbarmen und plötzlich zu mixen beginnen, oder?
[Adalbert Michelic in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160729/94ada540/attachment.pgp>
