[apparmor] [patch] logparser.py: ignore network events with 'send receive'

Tyler Hicks tyhicks at canonical.com
Fri Jul 29 21:46:50 UTC 2016


On 07/29/2016 04:06 PM, Christian Boltz wrote:
> Hello,
> 
> we already ignore network events that look like file events (based on
> the operation keyword) if they have a request_mask of 'send' or
> 'receive' to avoid aa-logprof crashes because of "unknown" permissions.
> It turned out that both can happen at once, so we should also ignore
> this case.
> 
> Also add the now-ignored log event as test_multi testcase.
> 
> 
> References: https://bugs.launchpad.net/apparmor/+bug/1577051 #13
> 
> 
> 
> I propose this patch for trunk, 2.10 and 2.9.

Acked-by: Tyler Hicks <tyhicks at canonical.com>

Thanks for getting to this fix so quickly!

Tyler

> 
> 
> [ 01-logparser-send-receive.diff ]
> 
> --- utils/apparmor/logparser.py 2016-06-05 20:28:24.214423206 +0200
> +++ utils/apparmor/logparser.py 2016-07-29 22:56:57.660828070 +0200
> @@ -310,7 +310,7 @@
>              # sometimes network events come with an e['operation'] that matches the list of file operations
>              # see https://bugs.launchpad.net/apparmor/+bug/1577051 and https://bugs.launchpad.net/apparmor/+bug/1582374
>              # XXX these events are network events, so we should map them as such
> -            if e['request_mask'] in ('send', 'receive'):
> +            if 'send' in e['request_mask'] or 'receive' in e['request_mask']:
>                  self.debug_logger.debug('UNHANDLED (request_mask is send or receive): %s' % e)
>                  return None
>  
> === added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.err'
> === added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in'
> --- libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in 1970-01-01 00:00:00 +0000
> +++ libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in 2016-07-29 20:59:48 +0000
> @@ -0,0 +1,1 @@
> +Jul 29 11:42:05 files kernel: [483212.877816] audit: type=1400 audit(1469785325.122:21021): apparmor="ALLOWED" operation="file_inherit" profile="/usr/bin/nginx-amplify-agent.py//null-/bin/dash" pid=18239 comm="sh" laddr=192.168.10.3 lport=50758 faddr=54.153.70.241 fport=443 family="inet" sock_type="stream" protocol=6 requested_mask="send receive" denied_mask="send receive"
> 
> === added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out'
> --- libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out        1970-01-01 00:00:00 +0000
> +++ libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out        2016-07-29 21:00:03 +0000
> @@ -0,0 +1,19 @@
> +START
> +File: testcase_network_send_receive.in
> +Event type: AA_RECORD_ALLOWED
> +Audit ID: 1469785325.122:21021
> +Operation: file_inherit
> +Mask: send receive
> +Denied Mask: send receive
> +Profile: /usr/bin/nginx-amplify-agent.py//null-/bin/dash
> +Command: sh
> +PID: 18239
> +Network family: inet
> +Socket type: stream
> +Protocol: tcp
> +Local addr: 192.168.10.3
> +Foreign addr: 54.153.70.241
> +Local port: 50758
> +Foreign port: 443
> +Epoch: 1469785325
> +Audit subid: 21021
> 
> 
> 
> 
> Regards,
> 
> Christian Boltz
> 
> 
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160729/8cb680b2/attachment.pgp>


More information about the AppArmor mailing list