[apparmor] [patch] Ignore change_hat events with error=-1 and "unconfined can not change_hat"

Wed, 22 Feb 2017 15:51:07 -0800 

Hello,

$subject.
That's much better than crashing aa-logprof ;-)  (use the log line in
the added testcase if you want to see the crash)

Reported by pfak on IRC.


I propose this patch for trunk, 2.10 and 2.9.


[ 01-logparser-unconfined-change_hat.diff ]

--- utils/apparmor/logparser.py 2017-01-19 23:22:16.148279403 +0100
+++ utils/apparmor/logparser.py 2017-02-23 00:21:24.402771048 +0100
@@ -249,6 +249,8 @@
         if e['operation'] == 'change_hat':
             if aamode != 'HINT' and aamode != 'PERMITTING':
                 return None
+            if e['error_code'] == 1 and e['info'] == 'unconfined can not 
change_hat':
+                return None
             profile = e['name2']
             #hat = None
             if '//' in e['name2']:
=== added file 
'libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.err'
=== added file 
'libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.in'
--- libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.in 
1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.in 
2017-02-22 23:15:02 +0000
@@ -0,0 +1,1 @@
+Feb 21 23:22:01 mail-20170118 kernel: [1222198.459750] audit: type=1400 
audit(1487719321.954:218): apparmor="ALLOWED" operation="change_hat" 
info="unconfined can not change_hat" error=-1 profile="unconfined" pid=19941 
comm="apache2"

=== added file 
'libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.out'
--- libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.out        
1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.out        
2017-02-22 23:15:17 +0000
@@ -0,0 +1,12 @@
+START
+File: unconfined-change_hat.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1487719321.954:218
+Operation: change_hat
+Profile: unconfined
+Command: apache2
+Info: unconfined can not change_hat
+ErrorCode: 1
+PID: 19941
+Epoch: 1487719321
+Audit subid: 218

=== added file 
'libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.profile'
--- libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.profile    
1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.profile    
2017-02-22 23:20:06 +0000
@@ -0,0 +1,2 @@
+profile unconfined {
+}


Regards,

Christian Boltz
-- 
> > .domain.intern smpt:[mx.domain.intern]
> Du meinst sicher smtp und nicht smpt. :-)
Du kennst den "Senseless Mailinglist Protocol Typo" nicht? ;-)
[> Michael Neufing und (>>) Gregor Hermens in postfixbuch-users]

Attachment: signature.asc
Description: This is a digitally signed message part.

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to