[apparmor] [patch] logparser: store network-related params if an event looks like network (was: Re: [patch] logparser.py: ignore network events with 'send receive')
kgupta8592 at gmail.com
Sun Jul 31 14:41:44 UTC 2016
On Sun, Jul 31, 2016 at 5:37 PM, Christian Boltz <apparmor at cboltz.de> wrote:
> Am Freitag, 29. Juli 2016, 16:46:50 CEST schrieb Tyler Hicks:
>> On 07/29/2016 04:06 PM, Christian Boltz wrote:
>> > we already ignore network events that look like file events (based
>> > on the operation keyword) if they have a request_mask of 'send' or
>> > 'receive' to avoid aa-logprof crashes because of "unknown"
>> > permissions. It turned out that both can happen at once, so we
>> > should also ignore this case.
>> > Also add the now-ignored log event as test_multi testcase.
>> > References: https://bugs.launchpad.net/apparmor/+bug/1577051 #13
>> > I propose this patch for trunk, 2.10 and 2.9.
>> Acked-by: Tyler Hicks <tyhicks at canonical.com>
>> Thanks for getting to this fix so quickly!
> I just found out that I did it a bit too quick - I did run the testsuite
> after changing logparser.py, but didn't re-run it after adding
> testcase_network_send_receive.* to the test_multi testsuite - and this
> test causes a test failure in utils/test/test-libapparmor-test_multi.py
> because network family, protocol and sock_type aren't set for events
> that look like a file event.
> The patch below fixes this (and is a baby step towards guessing the
> event type based on the event content instead of operation=...)
> [patch] logparser: store network-related params if an event looks like network
> Network events can come with an operation= that looks like a file event.
> Nevertheless, if the event has a typical network parameter (like
> net_protocol) set, make sure to store the network-related flags in ev.
> This fixes the test failure introduced in my last commit.
> I propose this patch for trunk, 2.10 and 2.9.
> [ 01-logparser-more-network.diff ]
> === modified file 'utils/apparmor/logparser.py'
> --- utils/apparmor/logparser.py 2016-07-29 22:41:43 +0000
> +++ utils/apparmor/logparser.py 2016-07-31 11:46:07 +0000
> @@ -133,7 +133,7 @@
> ev['denied_mask'] = event.denied_mask
> ev['request_mask'] = event.requested_mask
> ev['magic_token'] = event.magic_token
> - if ev['operation'] and self.op_type(ev['operation']) == 'net':
> + if ev['operation'] and self.op_type(ev['operation']) == 'net' or event.net_protocol:
Maybe swap around the or operator and maybe sprinkle in a pinch of
> ev['family'] = event.net_family
> ev['protocol'] = event.net_protocol
> ev['sock_type'] = event.net_sock_type
Acked-by: Kshitij Gupta <kgupta8592 at gmail.com>
> Christian Boltz
> Dieser Indizierungsmurks. Semantikgefuckel, dass das System
> unbenutzbar macht.
> Aber gut, dass man zwei Knie hat, in die man sich schießen kann.
> [Lars Müller in opensuse-de]
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
More information about the AppArmor