[apparmor] [patch] logparser: store network-related params if an event looks like network (was: Re: [patch] logparser.py: ignore network events with 'send receive')
apparmor at cboltz.de
Sun Jul 31 12:07:22 UTC 2016
Am Freitag, 29. Juli 2016, 16:46:50 CEST schrieb Tyler Hicks:
> On 07/29/2016 04:06 PM, Christian Boltz wrote:
> > we already ignore network events that look like file events (based
> > on the operation keyword) if they have a request_mask of 'send' or
> > 'receive' to avoid aa-logprof crashes because of "unknown"
> > permissions. It turned out that both can happen at once, so we
> > should also ignore this case.
> > Also add the now-ignored log event as test_multi testcase.
> > References: https://bugs.launchpad.net/apparmor/+bug/1577051 #13
> > I propose this patch for trunk, 2.10 and 2.9.
> Acked-by: Tyler Hicks <tyhicks at canonical.com>
> Thanks for getting to this fix so quickly!
I just found out that I did it a bit too quick - I did run the testsuite
after changing logparser.py, but didn't re-run it after adding
testcase_network_send_receive.* to the test_multi testsuite - and this
test causes a test failure in utils/test/test-libapparmor-test_multi.py
because network family, protocol and sock_type aren't set for events
that look like a file event.
The patch below fixes this (and is a baby step towards guessing the
event type based on the event content instead of operation=...)
[patch] logparser: store network-related params if an event looks like network
Network events can come with an operation= that looks like a file event.
Nevertheless, if the event has a typical network parameter (like
net_protocol) set, make sure to store the network-related flags in ev.
This fixes the test failure introduced in my last commit.
I propose this patch for trunk, 2.10 and 2.9.
[ 01-logparser-more-network.diff ]
=== modified file 'utils/apparmor/logparser.py'
--- utils/apparmor/logparser.py 2016-07-29 22:41:43 +0000
+++ utils/apparmor/logparser.py 2016-07-31 11:46:07 +0000
@@ -133,7 +133,7 @@
ev['denied_mask'] = event.denied_mask
ev['request_mask'] = event.requested_mask
ev['magic_token'] = event.magic_token
- if ev['operation'] and self.op_type(ev['operation']) == 'net':
+ if ev['operation'] and self.op_type(ev['operation']) == 'net' or event.net_protocol:
ev['family'] = event.net_family
ev['protocol'] = event.net_protocol
ev['sock_type'] = event.net_sock_type
Dieser Indizierungsmurks. Semantikgefuckel, dass das System
Aber gut, dass man zwei Knie hat, in die man sich schießen kann.
[Lars Müller in opensuse-de]
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: This is a digitally signed message part.
More information about the AppArmor