On Sun, Dec 27, 2015 at 04:13:15PM +0100, Christian Boltz wrote: > Hello, > > $subject. > > In detail, this means: > - handle ptrace events in logparser.py > - "translate" those events in aa.py - from log (logparser.py readlog()) > to prelog (handle_children()) to log_dict (collapse_log())) > - finally ask the user about the ptrace in ask_the_questions() > (no code change needed there) > > Note that these changes are not covered by tests, however they worked in > a manual test with the log examples in the libapparmor testsuite. > Unfortunately there's no example log for eavesdrop, so it might be a > good idea to a) add such a log line and b) test with it > > > > [ 60-add-logprof-support-for-dbus-events.diff ]
Heh, the text above was probably copy-pasted from a similar patch for ptrace :) but otherwise looks good. Acked-by: Seth Arnold <seth.arn...@canonical.com> Thanks > > === modified file ./utils/apparmor/aa.py > --- utils/apparmor/aa.py 2015-12-27 13:13:48.245063269 +0100 > +++ utils/apparmor/aa.py 2015-12-27 15:06:10.149844921 +0100 > @@ -1155,6 +1155,16 @@ > continue > prelog[aamode][profile][hat]['capability'][capability] = True > > + elif typ == 'dbus': > + # If dbus then we (should) have pid, profile, hat, program, > mode, access, bus, name, path, interface, member, peer_profile > + pid, p, h, prog, aamode, access, bus, path, name, interface, > member, peer_profile = entry > + if not regex_nullcomplain.search(p) and not > regex_nullcomplain.search(h): > + profile = p > + hat = h > + if not profile or not hat: > + continue > + > prelog[aamode][profile][hat]['dbus'][access][bus][path][name][interface][member][peer_profile] > = True > + > elif typ == 'ptrace': > # If ptrace then we (should) have pid, profile, hat, > program, mode, access and peer > pid, p, h, prog, aamode, access, peer = entry > @@ -2489,6 +2499,28 @@ > if not is_known_rule(aa[profile][hat], 'capability', > cap_event): > > log_dict[aamode][profile][hat]['capability'].add(cap_event) > > + dbus = prelog[aamode][profile][hat]['dbus'] > + for access in dbus: > + for bus in dbus[access]: > + for path in > dbus[access][bus]: > + for name in > dbus[access][bus][path]: > + for interface in > dbus[access][bus][path][name]: > + for member in > dbus[access][bus][path][name][interface]: > + for peer_profile in > dbus[access][bus][path][name][interface][member]: > + # Depending on the access type, > not all parameters are allowed. > + # Ignore them, even if some of > them appear in the log. > + # Also, the log doesn't provide > a peer label, therefore always use ALL. > + if access in ['send', 'receive']: > + dbus_event = > DbusRule(access, bus, path, DbusRule.ALL, interface, member, > peer_profile, DbusRule.ALL, log_event=True) > + elif access == 'bind': > + dbus_event = > DbusRule(access, bus, DbusRule.ALL, name, DbusRule.ALL, > DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, log_event=True) > + elif access == 'eavesdrop': > + dbus_event = > DbusRule(access, bus, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, > DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, log_event=True) > + else: > + raise > AppArmorBug('unexpected dbus access: %s') > + > + > log_dict[aamode][profile][hat]['dbus'].add(dbus_event) > + > nd = prelog[aamode][profile][hat]['netdomain'] > for family in nd.keys(): > for sock_type in nd[family].keys(): > === modified file ./utils/apparmor/logparser.py > --- utils/apparmor/logparser.py 2015-12-27 13:13:48.245063269 +0100 > +++ utils/apparmor/logparser.py 2015-12-27 15:08:57.024735157 +0100 > @@ -377,6 +377,9 @@ > elif e['operation'] == 'signal': > return(e['pid'], e['parent'], 'signal', > [profile, hat, prog, aamode, e['denied_mask'], > e['signal'], e['peer']]) > + elif e['operation'].startswith('dbus_'): > + return(e['pid'], e['parent'], 'dbus', > + [profile, hat, prog, aamode, e['denied_mask'], > e['bus'], e['path'], e['name'], e['interface'], e['member'], > e['peer_profile']]) > else: > self.debug_logger.debug('UNHANDLED: %s' % e) > > > > Regards, > > Christian Boltz > -- > programmers' biggest strength is that they're lazy bastards. > [Claudio Freire in opensuse-factory] > -- > AppArmor mailing list > AppArmor@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/apparmor
signature.asc
Description: PGP signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor