The log parsing in the Immunix::AppArmor perl module has fallen behind when it comes to audit events from some of the newer rule types supported by apparmor_parser.
When an unsupported event is found, it causes aa-logprof to error out. This patch creates a list of valid, but unsupported, event operations that should be ignored by the perl module when parsing logs. https://launchpad.net/bugs/1243932 Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- utils/Immunix/AppArmor.pm | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/utils/Immunix/AppArmor.pm b/utils/Immunix/AppArmor.pm index 01b82c8..23c2a1a 100755 --- a/utils/Immunix/AppArmor.pm +++ b/utils/Immunix/AppArmor.pm @@ -6714,6 +6714,11 @@ sub parse_event($) { LibAppArmor::free_record($event); + if ($ev{'operation'} && $ev{'operation'} =~ /^(capable|dbus|mount|pivotroot|umount)/) { + $DEBUGGING && debug("parser_event: previous event IGNORED"); + return( undef ); + } + #map new c and d to w as logprof doesn't support them yet if ($rmask) { $rmask =~ s/c/w/g; -- 1.8.3.2 -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor