Hello, Am Freitag, 18. November 2016, 14:09:58 CET schrieb Seth Arnold: > On Fri, Nov 18, 2016 at 10:39:10PM +0100, Christian Boltz wrote: > > I propose this patch for trunk and 2.10. > > (2.9 logparser.py code is slightly different, and I don't want to > > risk breaking it) > > > > > > [ 01-logparser-always-store-protocol-family-sock_type.diff ] > > > > === modified file ./utils/apparmor/logparser.py > > --- utils/apparmor/logparser.py 2016-10-14 00:35:27.514276563 +0200 > > +++ utils/apparmor/logparser.py 2016-11-18 22:14:00.909027936 +0100 > > @@ -133,11 +133,11 @@ > > > > ev['denied_mask'] = event.denied_mask > > ev['request_mask'] = event.requested_mask > > ev['magic_token'] = event.magic_token > > > > - if ev['operation'] and (self.op_type(ev['operation']) == > > 'net' or event.net_protocol): - ev['family'] = > > event.net_family > > - ev['protocol'] = event.net_protocol > > - ev['sock_type'] = event.net_sock_type > > + ev['family'] = event.net_family > > + ev['protocol'] = event.net_protocol > > + ev['sock_type'] = event.net_sock_type > > I haven't yet checked to see if we guarantee that these are > intiialized regardless of type. If you've already checked a reference > would help :)
According to my tests (and test-libapparmor-test_multi.py ;-) which also tests the log to profile "translations") libapparmor seems to always set them to None (except for network events, where they obviously contain more useful values). Also, logparser.py only uses those values when they make sense for the event type. For most event types, they get stored and ignored. Note that I did not check the libapparmor code or the swig bindings ;-) > > - elif ev['operation'] and ev['operation'] == 'signal': > > > > + if ev['operation'] and ev['operation'] == 'signal': > > ev['signal'] = event.signal > > ev['peer'] = event.peer > > > > elif ev['operation'] and ev['operation'] == 'ptrace': > So, I have to ask.. why are these still special cased? :) Because they are not related to file or network events ;-) and I don't (yet?) see a need to always have them available. Actually this patch is part one. The second part will bring some changes that are still small enough to be nearly risk-free, and that will finally fix some bugs (currently, we simply ignore the affected log events - better than a crash, but it still results in an incomplete profile). I can foresee some more rewrites and cleanups in logparser.py - but let's first get 2.11 out, and do the big (and possibly risky) changes afterwards ;-) Regards, Christian Boltz -- Das wird mit TCPA alles vorbei sein. Nicht, dass Windows dann stabiler läuft, aber auch die Abstürze sind zertifiziert. [Matthias Houdek in linux-liste]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
