Hello, $subject.
Storing these event details depending on the operation type only makes
things more difficult because it's hard to differenciate between file
and network events.
Note that this happens at the first log parsing stage (libapparmor log
event -> temporary python array) and therefore doesn't add a serious
memory footprint. The event tree will still only contain the elements
relevant for the actual event type.
This change means that lots of testcases now get 3 more fields (all
None) when testing parse_event(), so update all affected testcases.
(test-network doesn't need a change for probably obvious reasons.)
Also rename a misnamed test in test-change_profile.
I propose this patch for trunk and 2.10.
(2.9 logparser.py code is slightly different, and I don't want to risk
breaking it)
[ 01-logparser-always-store-protocol-family-sock_type.diff ]
=== modified file ./utils/apparmor/logparser.py
--- utils/apparmor/logparser.py 2016-10-14 00:35:27.514276563 +0200
+++ utils/apparmor/logparser.py 2016-11-18 22:14:00.909027936 +0100
@@ -133,11 +133,11 @@
ev['denied_mask'] = event.denied_mask
ev['request_mask'] = event.requested_mask
ev['magic_token'] = event.magic_token
- if ev['operation'] and (self.op_type(ev['operation']) == 'net' or
event.net_protocol):
- ev['family'] = event.net_family
- ev['protocol'] = event.net_protocol
- ev['sock_type'] = event.net_sock_type
+ ev['family'] = event.net_family
+ ev['protocol'] = event.net_protocol
+ ev['sock_type'] = event.net_sock_type
+
- elif ev['operation'] and ev['operation'] == 'signal':
+ if ev['operation'] and ev['operation'] == 'signal':
ev['signal'] = event.signal
ev['peer'] = event.peer
elif ev['operation'] and ev['operation'] == 'ptrace':
=== modified file ./utils/test/test-capability.py
--- utils/test/test-capability.py 2016-10-01 21:00:58.949770000 +0200
+++ utils/test/test-capability.py 2016-11-18 22:15:52.772516024 +0100
@@ -118,7 +118,10 @@
'task': 0,
'attr': None,
'name2': None,
- 'name': 'net_raw'
+ 'name': 'net_raw',
+ 'family': None,
+ 'protocol': None,
+ 'sock_type': None,
})
obj = CapabilityRule(parsed_event['name'], log_event=parsed_event)
=== modified file ./utils/test/test-change_profile.py
--- utils/test/test-change_profile.py 2016-10-01 21:00:58.949770000 +0200
+++ utils/test/test-change_profile.py 2016-11-18 22:15:24.688644552 +0100
@@ -92,7 +92,7 @@
ChangeProfileRule.parse(rawrule)
class ChangeProfileTestParseFromLog(ChangeProfileTest):
- def test_net_from_log(self):
+ def test_change_profile_from_log(self):
parser = ReadLog('', '', '', '', '')
event = 'type=AVC msg=audit(1428699242.551:386): apparmor="DENIED"
operation="change_profile" profile="/foo/changeprofile" pid=3459
comm="changeprofile" target="/foo/rename"'
@@ -106,7 +106,6 @@
'request_mask': None,
'denied_mask': None,
'error_code': 0,
- #'family': 'inet',
'magic_token': 0,
'parent': 0,
'profile': '/foo/changeprofile',
@@ -121,6 +120,9 @@
'attr': None,
'name2': '/foo/rename', # target
'name': None,
+ 'family': None,
+ 'protocol': None,
+ 'sock_type': None,
})
obj = ChangeProfileRule(None, ChangeProfileRule.ALL,
parsed_event['name2'], log_event=parsed_event)
=== modified file ./utils/test/test-dbus.py
--- utils/test/test-dbus.py 2016-10-01 21:00:58.949770000 +0200
+++ utils/test/test-dbus.py 2016-11-18 22:04:17.295650986 +0100
@@ -145,6 +145,9 @@
'path': '/org/freedesktop/DBus',
'interface': 'org.freedesktop.DBus',
'member': 'Hello',
+ 'family': None,
+ 'protocol': None,
+ 'sock_type': None,
})
# XXX send rules must not contain name conditional, but the log event includes
it - how should we handle this in logparser.py?
=== modified file ./utils/test/test-file.py
--- utils/test/test-file.py 2016-10-09 16:05:48.322715610 +0200
+++ utils/test/test-file.py 2016-11-18 22:16:15.708411051 +0100
@@ -158,6 +158,9 @@
'pid': 13726,
'task': 0,
'attr': None,
+ 'family': None,
+ 'protocol': None,
+ 'sock_type': None,
})
#FileRule# path, perms,
exec_perms, target, owner, file_keyword, leading_perms
=== modified file ./utils/test/test-logparser.py
--- utils/test/test-logparser.py 2015-10-03 17:18:12.740213942 +0200
+++ utils/test/test-logparser.py 2016-11-18 22:16:35.164322001 +0100
@@ -85,6 +85,9 @@
'resource': 'Failed name lookup - disconnected path',
'task': 0,
- 'time': 1424425690
+ 'time': 1424425690,
+ 'family': None,
+ 'protocol': None,
+ 'sock_type': None,
})
self.assertIsNotNone(ReadLog.RE_LOG_ALL.search(event))
=== modified file ./utils/test/test-ptrace.py
--- utils/test/test-ptrace.py 2016-10-01 21:00:58.949770000 +0200
+++ utils/test/test-ptrace.py 2016-11-18 22:16:58.184216636 +0100
@@ -109,6 +109,9 @@
'attr': None,
'name2': None,
'name': None,
+ 'family': None,
+ 'protocol': None,
+ 'sock_type': None,
})
obj = PtraceRule(parsed_event['denied_mask'], parsed_event['peer'],
log_event=parsed_event)
=== modified file ./utils/test/test-signal.py
--- utils/test/test-signal.py 2016-10-01 21:00:58.949770000 +0200
+++ utils/test/test-signal.py 2016-11-18 22:04:53.759489041 +0100
@@ -114,6 +114,9 @@
'attr': None,
'name2': None,
'name': None,
+ 'family': None,
+ 'protocol': None,
+ 'sock_type': None,
})
obj = SignalRule(parsed_event['denied_mask'], parsed_event['signal'],
parsed_event['peer'], log_event=parsed_event)
Regards,
Christian Boltz
--
> Die M$-Kombination aus Server2003+Exchange ist meiner Meinung nach
> das einzig vernünftige Produkt von Billyboy.
Das muss der Grund sein, warum es bei Würmern und Trojanern so beliebt
ist. ["office" und Jens Benecke in suse-linux]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
