[apparmor] [patch] Ignore change_hat events with error=-1 and "unconfined can not change_hat"

[Seth Arnold]

On Thu, Feb 23, 2017 at 12:49:46AM +0100, Christian Boltz wrote:
> Hello,
> 
> $subject.
> That's much better than crashing aa-logprof ;-)  (use the log line in
> the added testcase if you want to see the crash)
> 
> Reported by pfak on IRC.
> 
> 
> I propose this patch for trunk, 2.10 and 2.9.

Acked for all three, thanks.

Acked-by: Seth Arnold <seth.arnold at canonical.com>

> 
> 
> [ 01-logparser-unconfined-change_hat.diff ]
> 
> --- utils/apparmor/logparser.py 2017-01-19 23:22:16.148279403 +0100
> +++ utils/apparmor/logparser.py 2017-02-23 00:21:24.402771048 +0100
> @@ -249,6 +249,8 @@
>          if e['operation'] == 'change_hat':
>              if aamode != 'HINT' and aamode != 'PERMITTING':
>                  return None
> +            if e['error_code'] == 1 and e['info'] == 'unconfined can not change_hat':
> +                return None
>              profile = e['name2']
>              #hat = None
>              if '//' in e['name2']:
> === added file 'libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.err'
> === added file 'libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.in'
> --- libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.in 1970-01-01 00:00:00 +0000
> +++ libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.in 2017-02-22 23:15:02 +0000
> @@ -0,0 +1,1 @@
> +Feb 21 23:22:01 mail-20170118 kernel: [1222198.459750] audit: type=1400 audit(1487719321.954:218): apparmor="ALLOWED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=19941 comm="apache2"
> 
> === added file 'libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.out'
> --- libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.out        1970-01-01 00:00:00 +0000
> +++ libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.out        2017-02-22 23:15:17 +0000
> @@ -0,0 +1,12 @@
> +START
> +File: unconfined-change_hat.in
> +Event type: AA_RECORD_ALLOWED
> +Audit ID: 1487719321.954:218
> +Operation: change_hat
> +Profile: unconfined
> +Command: apache2
> +Info: unconfined can not change_hat
> +ErrorCode: 1
> +PID: 19941
> +Epoch: 1487719321
> +Audit subid: 218
> 
> === added file 'libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.profile'
> --- libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.profile    1970-01-01 00:00:00 +0000
> +++ libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.profile    2017-02-22 23:20:06 +0000
> @@ -0,0 +1,2 @@
> +profile unconfined {
> +}
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170222/435cc0cc/attachment.pgp>