[apparmor] [patch] logparser: store network-related params if an event looks like network (was: Re: [patch] logparser.py: ignore network events with 'send receive')
apparmor at cboltz.de
Sun Jul 31 15:14:43 UTC 2016
Am Sonntag, 31. Juli 2016, 20:11:44 CEST schrieb Kshitij Gupta:
> On Sun, Jul 31, 2016 at 5:37 PM, Christian Boltz wrote:
> > I just found out that I did it a bit too quick - I did run the
> > testsuite after changing logparser.py, but didn't re-run it after
> > adding testcase_network_send_receive.* to the test_multi testsuite
> > - and this test causes a test failure in
> > utils/test/test-libapparmor-test_multi.py because network family,
> > protocol and sock_type aren't set for events that look like a file
> > event.
> > The patch below fixes this (and is a baby step towards guessing the
> > event type based on the event content instead of operation=...)
> > [patch] logparser: store network-related params if an event looks
> > like network
> > Network events can come with an operation= that looks like a file
> > event. Nevertheless, if the event has a typical network parameter
> > (like net_protocol) set, make sure to store the network-related
> > flags in ev.
> > This fixes the test failure introduced in my last commit.
> > I propose this patch for trunk, 2.10 and 2.9.
> > [ 01-logparser-more-network.diff ]
> > === modified file 'utils/apparmor/logparser.py'
> > --- utils/apparmor/logparser.py 2016-07-29 22:41:43 +0000
> > +++ utils/apparmor/logparser.py 2016-07-31 11:46:07 +0000
> > @@ -133,7 +133,7 @@
> > ev['denied_mask'] = event.denied_mask
> > ev['request_mask'] = event.requested_mask
> > ev['magic_token'] = event.magic_token
> > - if ev['operation'] and self.op_type(ev['operation']) ==
> > 'net':
> > + if ev['operation'] and self.op_type(ev['operation']) == 'net' or event.net_protocol:
> Maybe swap around the or operator and maybe sprinkle in a pinch of
Indeed, parenthesis sound like a good idea. It should be:
+ if ev['operation'] and (self.op_type(ev['operation']) == 'net' or event.net_protocol):
I'll add them before commiting.
(I doubt we'll get an event with net_protocol, but without operation,
but better safe than sorry ;-)
> Acked-by: Kshitij Gupta <kgupta8592 at gmail.com>
Thanks for the review!
No, you are wrong here. Typical user does not even know how to start
command line, and of course is not aware of "zypper" or how to
understand "zypper ps" output. Subscribers to -devel lists are in no
way typical users. [Andrey Borzenkov in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: This is a digitally signed message part.
More information about the AppArmor