Re: [apparmor] [patch] Set log_event flag in collapse_log()

Fri, 11 Dec 2015 22:13:01 -0800 

On 12/10/2015 04:35 AM, Christian Boltz wrote:
> Hello,
> 
> collapse_log() creates temporary SignalRule etc. objects which are then
> checked against the existing profile content.
> 
> These temporary objects are based on log events, therefore flag them as
> such. This will ensure proper handling and escaping by the AARE class.
> 
> 
Acked-by: John Johansen <john.johan...@canonical.com>

> [ 36-collapse-log-set-log_event.diff ]
> 
> === modified file ./utils/apparmor/aa.py
> --- utils/apparmor/aa.py        2015-12-08 19:30:43.210864711 +0100
> +++ utils/apparmor/aa.py        2015-12-10 12:38:08.008844270 +0100
> @@ -2509,26 +2509,26 @@
>                  for cap in prelog[aamode][profile][hat]['capability'].keys():
>                      # If capability not already in profile
>                      # XXX remove first check when we have proper profile 
> initialisation
> -                    if aa[profile][hat].get('capability', False) and not 
> aa[profile][hat]['capability'].is_covered(CapabilityRule(cap)):
> +                    if aa[profile][hat].get('capability', False) and not 
> aa[profile][hat]['capability'].is_covered(CapabilityRule(cap, 
> log_event=True)):
>                          log_dict[aamode][profile][hat]['capability'][cap] = 
> True
>  
>                  nd = prelog[aamode][profile][hat]['netdomain']
>                  for family in nd.keys():
>                      for sock_type in nd[family].keys():
> -                        if not is_known_rule(aa[profile][hat], 'network', 
> NetworkRule(family, sock_type)):
> +                        if not is_known_rule(aa[profile][hat], 'network', 
> NetworkRule(family, sock_type, log_event=True)):
>                              
> log_dict[aamode][profile][hat]['netdomain'][family][sock_type] = True
>  
>                  ptrace = prelog[aamode][profile][hat]['ptrace']
>                  for peer in ptrace.keys():
>                      for access in ptrace[peer].keys():
> -                        if not is_known_rule(aa[profile][hat], 'ptrace', 
> PtraceRule(access, peer)):
> +                        if not is_known_rule(aa[profile][hat], 'ptrace', 
> PtraceRule(access, peer, log_event=True)):
>                              
> log_dict[aamode][profile][hat]['ptrace'][peer][access] = True
>  
>                  sig = prelog[aamode][profile][hat]['signal']
>                  for peer in sig.keys():
>                      for access in sig[peer].keys():
>                          for signal in sig[peer][access].keys():
> -                            if not is_known_rule(aa[profile][hat], 'signal', 
> SignalRule(access, signal, peer)):
> +                            if not is_known_rule(aa[profile][hat], 'signal', 
> SignalRule(access, signal, peer, log_event=True)):
>                                  
> log_dict[aamode][profile][hat]['signal'][peer][access][signal] = True
>  
>  
> 
> 
> Regards,
> 
> Christian Boltz
> 


-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to