[apparmor] [patch] [1/2] support 'owner' file events in logparser.py
Christian Boltz
apparmor at cboltz.de
Sun Jul 30 20:51:38 UTC 2017
Hello,
logparser.py failed to notice if file events are owner-only in modern
audit.log (using fsuid=... and ouid=...).
This patch adds a comparison of fsuid and ouid and marks file events
as 'owner' if they match.
Note that log events without fsuid=... or ouid=... will have
18446744073709551615 as fsuid / ouid value (that's 2^64 - 1).
'None' would clearly be better ;-)
References: https://bugs.launchpad.net/apparmor/+bug/1538340
I propose this patch for trunk and 2.11
(unfortunately it doesn't work on 2.10)
[ 02-logparser-owner.diff ]
=== modified file ./utils/apparmor/logparser.py
--- utils/apparmor/logparser.py 2017-07-16 21:43:30.718865501 +0200
+++ utils/apparmor/logparser.py 2017-07-30 21:56:10.829026386 +0200
@@ -118,6 +118,10 @@
ev['protocol'] = event.net_protocol
ev['sock_type'] = event.net_sock_type
+ if event.ouid != 18446744073709551615: # 2^64 - 1
+ ev['fsuid'] = event.fsuid
+ ev['ouid'] = event.ouid
+
if ev['operation'] and ev['operation'] == 'signal':
ev['signal'] = event.signal
ev['peer'] = event.peer
@@ -270,6 +274,13 @@
if not validate_log_mode(hide_log_mode(dmask)):
raise AppArmorException(_('Log contains unknown mode %s') % dmask)
+ if e.get('ouid') is not None and e['fsuid'] == e['ouid']:
+ # mark as "owner" event
+ if '::' not in rmask:
+ rmask = '%s::' % rmask
+ if '::' not in dmask:
+ dmask = '%s::' % dmask
+
# convert rmask and dmask to mode arrays
# XXX log_str_to_mode() converts 'w' to 'aw', which later causes a conflict in FileRule
e['denied_mask'], e['name2'] = log_str_to_mode(e['profile'], dmask, e['name2'])
=== modified file ./utils/test/test-logparser.py
--- utils/test/test-logparser.py 2016-11-18 22:34:24.699780229 +0100
+++ utils/test/test-logparser.py 2017-07-30 21:53:41.609658482 +0200
@@ -73,11 +73,13 @@
'attr': None,
'denied_mask': 'r',
'error_code': 13,
+ 'fsuid': 1002,
'info': 'Failed name lookup - disconnected path',
'magic_token': 0,
'name': 'var/run/nscd/passwd',
'name2': None,
'operation': 'file_mmap',
+ 'ouid': 0,
'parent': 0,
'pid': 25333,
'profile': '/sbin/klogd',
Regards,
Christian Boltz
--
> ich übenehme dann freiwillig die Rolle des Dussels des Tages.
Ne ne mein Freund, den Titel lasse ich mir nicht nehmen, mit meiner
DSL-Geschichte... Dusseliger kann man sich nicht anstellen...
[> Ralf Prengel und Dieter Soost in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170730/2d18fdb0/attachment.pgp>
More information about the AppArmor
mailing list