[apparmor] [patch] logparser: store network-related params if an event looks like network (was: Re: [patch] logparser.py: ignore network events with 'send receive')

Christian Boltz apparmor at cboltz.de
Sun Jul 31 12:07:22 UTC 2016 

Hello,

Am Freitag, 29. Juli 2016, 16:46:50 CEST schrieb Tyler Hicks:
> On 07/29/2016 04:06 PM, Christian Boltz wrote:
> > we already ignore network events that look like file events (based
> > on the operation keyword) if they have a request_mask of 'send' or
> > 'receive' to avoid aa-logprof crashes because of "unknown"
> > permissions. It turned out that both can happen at once, so we
> > should also ignore this case.
> > 
> > Also add the now-ignored log event as test_multi testcase.
> > 
> > References: https://bugs.launchpad.net/apparmor/+bug/1577051 #13
> > 
> > I propose this patch for trunk, 2.10 and 2.9.
> 
> Acked-by: Tyler Hicks <tyhicks at canonical.com>
> 
> Thanks for getting to this fix so quickly!

I just found out that I did it a bit too quick - I did run the testsuite 
after changing logparser.py, but didn't re-run it after adding 
testcase_network_send_receive.* to the test_multi testsuite - and this 
test causes a test failure in utils/test/test-libapparmor-test_multi.py 
because network family, protocol and sock_type aren't set for events 
that look like a file event.

The patch below fixes this (and is a baby step towards guessing the 
event type based on the event content instead of operation=...)


[patch] logparser: store network-related params if an event looks like network

Network events can come with an operation= that looks like a file event.
Nevertheless, if the event has a typical network parameter (like
net_protocol) set, make sure to store the network-related flags in ev.

This fixes the test failure introduced in my last commit.


I propose this patch for trunk, 2.10 and 2.9.


[ 01-logparser-more-network.diff ]

=== modified file 'utils/apparmor/logparser.py'
--- utils/apparmor/logparser.py 2016-07-29 22:41:43 +0000
+++ utils/apparmor/logparser.py 2016-07-31 11:46:07 +0000
@@ -133,7 +133,7 @@
         ev['denied_mask'] = event.denied_mask
         ev['request_mask'] = event.requested_mask
         ev['magic_token'] = event.magic_token
-        if ev['operation'] and self.op_type(ev['operation']) == 'net':
+        if ev['operation'] and self.op_type(ev['operation']) == 'net' or event.net_protocol:
             ev['family'] = event.net_family
             ev['protocol'] = event.net_protocol
             ev['sock_type'] = event.net_sock_type






Regards,

Christian Boltz
-- 
Dieser Indizierungsmurks. Semantikgefuckel, dass das System
unbenutzbar macht.
Aber gut, dass man zwei Knie hat, in die man sich schießen kann.
[Lars Müller in opensuse-de]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160731/5d5042a2/attachment.pgp>

More information about the AppArmor mailing list