Re: [apparmor] [patch] [9/9] Add support for dbus events to aa-logprof

Seth Arnold Fri, 20 May 2016 16:33:07 -0700

On Sun, Dec 27, 2015 at 04:13:15PM +0100, Christian Boltz wrote:
> Hello,
> 
> $subject.
> 
> In detail, this means:
> - handle ptrace events in logparser.py
> - "translate" those events in aa.py - from log (logparser.py readlog())
>   to prelog (handle_children()) to log_dict (collapse_log()))
> - finally ask the user about the ptrace in ask_the_questions()
>   (no code change needed there)
> 
> Note that these changes are not covered by tests, however they worked in
> a manual test with the log examples in the libapparmor testsuite.
> Unfortunately there's no example log for eavesdrop, so it might be a
> good idea to a) add such a log line and b) test with it
> 
> 
> 
> [ 60-add-logprof-support-for-dbus-events.diff ]


Heh, the text above was probably copy-pasted from a similar patch for
ptrace :) but otherwise looks good.

Acked-by: Seth Arnold <seth.arn...@canonical.com>

Thanks

> 
> === modified file ./utils/apparmor/aa.py
> --- utils/apparmor/aa.py        2015-12-27 13:13:48.245063269 +0100
> +++ utils/apparmor/aa.py        2015-12-27 15:06:10.149844921 +0100
> @@ -1155,6 +1155,16 @@
>                      continue
>                  prelog[aamode][profile][hat]['capability'][capability] = True
>  
> +            elif typ == 'dbus':
> +                # If dbus then we (should) have pid, profile, hat, program, 
> mode, access, bus, name, path, interface, member, peer_profile
> +                pid, p, h, prog, aamode, access, bus, path, name, interface, 
> member, peer_profile = entry
> +                if not regex_nullcomplain.search(p) and not 
> regex_nullcomplain.search(h):
> +                    profile = p
> +                    hat = h
> +                if not profile or not hat:
> +                    continue
> +                
> prelog[aamode][profile][hat]['dbus'][access][bus][path][name][interface][member][peer_profile]
>  = True
> +
>              elif typ == 'ptrace':
>                  # If ptrace then we (should) have pid, profile, hat, 
> program, mode, access and peer
>                  pid, p, h, prog, aamode, access, peer = entry
> @@ -2489,6 +2499,28 @@
>                      if not is_known_rule(aa[profile][hat], 'capability', 
> cap_event):
>                          
> log_dict[aamode][profile][hat]['capability'].add(cap_event)
>  
> +                dbus = prelog[aamode][profile][hat]['dbus']
> +                for access in                               dbus:
> +                    for bus in                              dbus[access]:
> +                        for path in                         
> dbus[access][bus]:
> +                            for name in                     
> dbus[access][bus][path]:
> +                                for interface in            
> dbus[access][bus][path][name]:
> +                                    for member in           
> dbus[access][bus][path][name][interface]:
> +                                        for peer_profile in 
> dbus[access][bus][path][name][interface][member]:
> +                                            # Depending on the access type, 
> not all parameters are allowed.
> +                                            # Ignore them, even if some of 
> them appear in the log.
> +                                            # Also, the log doesn't provide 
> a peer label, therefore always use ALL.
> +                                            if access in ['send', 'receive']:
> +                                                dbus_event = 
> DbusRule(access, bus, path,            DbusRule.ALL,   interface,   member,   
>      peer_profile,   DbusRule.ALL, log_event=True)
> +                                            elif access == 'bind':
> +                                                dbus_event = 
> DbusRule(access, bus, DbusRule.ALL,    name,           DbusRule.ALL, 
> DbusRule.ALL, DbusRule.ALL,   DbusRule.ALL, log_event=True)
> +                                            elif access == 'eavesdrop':
> +                                                dbus_event = 
> DbusRule(access, bus, DbusRule.ALL,    DbusRule.ALL,   DbusRule.ALL, 
> DbusRule.ALL, DbusRule.ALL,   DbusRule.ALL, log_event=True)
> +                                            else:
> +                                                raise 
> AppArmorBug('unexpected dbus access: %s')
> +
> +                                            
> log_dict[aamode][profile][hat]['dbus'].add(dbus_event)
> +
>                  nd = prelog[aamode][profile][hat]['netdomain']
>                  for family in nd.keys():
>                      for sock_type in nd[family].keys():
> === modified file ./utils/apparmor/logparser.py
> --- utils/apparmor/logparser.py 2015-12-27 13:13:48.245063269 +0100
> +++ utils/apparmor/logparser.py 2015-12-27 15:08:57.024735157 +0100
> @@ -377,6 +377,9 @@
>          elif e['operation'] == 'signal':
>              return(e['pid'], e['parent'], 'signal',
>                               [profile, hat, prog, aamode, e['denied_mask'], 
> e['signal'], e['peer']])
> +        elif e['operation'].startswith('dbus_'):
> +            return(e['pid'], e['parent'], 'dbus',
> +                             [profile, hat, prog, aamode, e['denied_mask'], 
> e['bus'], e['path'], e['name'], e['interface'], e['member'], 
> e['peer_profile']])
>          else:
>              self.debug_logger.debug('UNHANDLED: %s' % e)
>  
> 
> 
> Regards,
> 
> Christian Boltz
> -- 
> programmers' biggest strength is that they're lazy bastards.
> [Claudio Freire in opensuse-factory]



> -- 
> AppArmor mailing list
> AppArmor@lists.ubuntu.com
> Modify settings or unsubscribe at: 
> https://lists.ubuntu.com/mailman/listinfo/apparmor

signature.asc
Description: PGP signature

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] [patch] [9/9] Add support for dbus events to aa-logprof

Reply via email to