[apparmor] [patch] [1/2] support 'owner' file events in logparser.py

Christian Boltz apparmor at cboltz.de
Sun Jul 30 20:51:38 UTC 2017 

Hello,

logparser.py failed to notice if file events are owner-only in modern
audit.log (using fsuid=... and ouid=...).

This patch adds a comparison of fsuid and ouid and marks file events
as 'owner' if they match.

Note that log events without fsuid=... or ouid=... will have
18446744073709551615 as fsuid / ouid value (that's 2^64 - 1).
'None' would clearly be better ;-)


References: https://bugs.launchpad.net/apparmor/+bug/1538340


I propose this patch for trunk and 2.11
(unfortunately it doesn't work on 2.10)


[ 02-logparser-owner.diff ]

=== modified file ./utils/apparmor/logparser.py
--- utils/apparmor/logparser.py 2017-07-16 21:43:30.718865501 +0200
+++ utils/apparmor/logparser.py 2017-07-30 21:56:10.829026386 +0200
@@ -118,6 +118,10 @@
         ev['protocol'] = event.net_protocol
         ev['sock_type'] = event.net_sock_type
 
+        if event.ouid != 18446744073709551615:  # 2^64 - 1
+            ev['fsuid'] = event.fsuid
+            ev['ouid'] = event.ouid
+
         if ev['operation'] and ev['operation'] == 'signal':
             ev['signal'] = event.signal
             ev['peer'] = event.peer
@@ -270,6 +274,13 @@
             if not validate_log_mode(hide_log_mode(dmask)):
                 raise AppArmorException(_('Log contains unknown mode %s') % dmask)
 
+            if e.get('ouid') is not None and e['fsuid'] == e['ouid']:
+                # mark as "owner" event
+                if '::' not in rmask:
+                    rmask = '%s::' % rmask
+                if '::' not in dmask:
+                    dmask = '%s::' % dmask
+
             # convert rmask and dmask to mode arrays
             # XXX log_str_to_mode() converts 'w' to 'aw', which later causes a conflict in FileRule
             e['denied_mask'],  e['name2'] = log_str_to_mode(e['profile'], dmask, e['name2'])
=== modified file ./utils/test/test-logparser.py
--- utils/test/test-logparser.py        2016-11-18 22:34:24.699780229 +0100
+++ utils/test/test-logparser.py        2017-07-30 21:53:41.609658482 +0200
@@ -73,11 +73,13 @@
             'attr': None,
             'denied_mask': 'r',
             'error_code': 13,
+            'fsuid': 1002,
             'info': 'Failed name lookup - disconnected path',
             'magic_token': 0,
             'name': 'var/run/nscd/passwd',
             'name2': None,
             'operation': 'file_mmap',
+            'ouid': 0,
             'parent': 0,
             'pid': 25333,
             'profile': '/sbin/klogd',



Regards,

Christian Boltz
-- 
>  ich übenehme dann freiwillig die Rolle des Dussels des Tages.
Ne ne mein Freund, den Titel lasse ich mir nicht nehmen, mit meiner
DSL-Geschichte... Dusseliger kann man sich nicht anstellen...
[> Ralf Prengel und Dieter Soost in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170730/2d18fdb0/attachment.pgp>

More information about the AppArmor mailing list