Re: [apparmor] [patch] let logparser.py ignore file_inherit events without request_mask

Wed, 28 Oct 2015 12:46:41 -0700 

Hi,

On Fri, Oct 23, 2015 at 3:31 PM, Christian Boltz <appar...@cboltz.de> wrote:

> Hello,
>
> $subject.
>
> That's not nice, but still better than a crash ;-)
>
> References: https://bugs.launchpad.net/apparmor/+bug/1466812/
>
>
> I propose this patch for trunk and 2.9
>
>
> BTW: when I test the log entry
>     Oct 22 15:57:38 NR021AA kernel: [ 69.827705] audit: type=1400
> audit(1445522258.769:1054): apparmor="DENIED" operation="file_inherit"
> profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2407
> comm="nm-dhcp-client." lport=10580 family="inet6" sock_type="dgram"
> protocol=17
> with test_multi.multi, it tells me
>     Event type: AA_RECORD_INVALID
>
> Is that really the expected result?
>
I'll let someone else take a stab at answering this.

>
>
>
> [ 04-logparser-file_inherit.diff ]
>
> === modified file 'utils/apparmor/logparser.py'
> --- utils/apparmor/logparser.py 2015-10-03 18:18:54 +0000
> +++ utils/apparmor/logparser.py 2015-10-23 09:41:49 +0000
> @@ -282,8 +286,9 @@
>                                  'rename_dest', 'unlink', 'rmdir',
> 'symlink_create', 'link',
>                                  'sysctl', 'getattr', 'setattr', 'xattr']
> ):
>
> -            # for some reason, we get file_perm log events without
> request_mask, see https://bugs.launchpad.net/apparmor/+bug/1466812/
> -            if e['operation'] == 'file_perm' and e['request_mask'] is
> None:
> +            # for some reason, we get file_perm and file_inherit log
> events without request_mask, see
> +            # https://bugs.launchpad.net/apparmor/+bug/1466812/ and
> https://bugs.launchpad.net/apparmor/+bug/1509030
> +            if e['operation'] in ['file_perm', 'file_inherit'] and
> e['request_mask'] is None:
>                  self.debug_logger.debug('UNHANDLED (missing
> request_mask): %s' % e)
>                  return None
>
> Ideally we should have: STRANGE_OPERATIONS_WITHOUT_MASKS =  ['file_perm',
'file_inherit']
(I thought of calling it *Stanley Ipkiss*[1], but am open to other options
too.)

followed by: if e['operation'] in STRANGE_OPERATIONS_WITHOUT_MASKS and
e['request_mask'] is None.

With/without the change.

Thanks for the patch.

Acked-by: Kshitij Gupta <kgupta8...@gmail.com>.

[1]: http://the-mask.wikia.com/wiki/Stanley_Ipkiss


>
> Regards,
>
> Christian Boltz
> --
> In /etc steht, was Du denkst. In /proc steht, was das OS denkt.
>                                            [Thomas Blum in doc]
>
>
> --
> AppArmor mailing list
> AppArmor@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
>



-- 
Regards,

Kshitij Gupta

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to