Hello, (garbage) ptrace events like ... apparmor="DENIED" operation="ptrace" profile="/bin/netstat" pid=1962 comm="netstat" target="" cause an empty name2 field, which leads to a crash in the tools.
This patch lets logparser.py ignore such garbage log events, which also avoids the crash. As usual, add some testcases. test-libapparmor-test_multi.py needs some special handling to ignore the empty name2 field in one of the testcases. References: https://bugs.launchpad.net/apparmor/+bug/1689667 I propose this patch for trunk and 2.11. Older releases can't handle ptrace log events and therefore can't crash ;-) As a sidenote - it would be nice if libapparmor would translate ptrace events with target="" to AA_RECORD_INVALID ;-) [ 01-ptrace-garbage-lp1689667.diff ] === added file 'libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_1.err' === added file 'libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_1.in' --- libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_1.in 1970-01-01 00:00:00 +0000 +++ libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_1.in 2017-05-19 18:28:48 +0000 @@ -0,0 +1,1 @@ +type=AVC msg=audit(1494272099.261:3455): apparmor="DENIED" operation="ptrace" profile="/bin/netstat" pid=1962 comm="netstat" target="" === added file 'libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_1.out' --- libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_1.out 1970-01-01 00:00:00 +0000 +++ libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_1.out 2017-05-19 19:00:53 +0000 @@ -0,0 +1,11 @@ +START +File: ptrace_garbage_lp1689667_1.in +Event type: AA_RECORD_DENIED +Audit ID: 1494272099.261:3455 +Operation: ptrace +Profile: /bin/netstat +Command: netstat +Name2: +PID: 1962 +Epoch: 1494272099 +Audit subid: 3455 === added file 'libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_1.profile' --- libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_1.profile 1970-01-01 00:00:00 +0000 +++ libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_1.profile 2017-05-19 18:35:42 +0000 @@ -0,0 +1,2 @@ +/bin/netstat { +} === added file 'libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_2.err' === added file 'libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_2.in' --- libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_2.in 1970-01-01 00:00:00 +0000 +++ libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_2.in 2017-05-19 18:42:19 +0000 @@ -0,0 +1,1 @@ +type=AVC msg=audit(1494272099.261:3455): apparmor="DENIED" operation="ptrace" profile="/bin/netstat" pid=1962 comm="netstat" target=8022C0FF81A0FFFF8022C0FF81A0FFFF1080CBFF81A0FFFF1080CBFF81A0FFFF2080CBFF81A0FFFF2080CBFF81A0FFFF9E03 === added file 'libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_2.out' --- libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_2.out 1970-01-01 00:00:00 +0000 +++ libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_2.out 2017-05-19 18:42:37 +0000 @@ -0,0 +1,10 @@ +START +File: ptrace_garbage_lp1689667_2.in +Event type: AA_RECORD_INVALID +Audit ID: 1494272099.261:3455 +Operation: ptrace +Profile: /bin/netstat +Command: netstat +PID: 1962 +Epoch: 1494272099 +Audit subid: 3455 === modified file 'utils/apparmor/logparser.py' --- utils/apparmor/logparser.py 2017-02-23 00:00:36 +0000 +++ utils/apparmor/logparser.py 2017-05-19 18:41:31 +0000 @@ -338,6 +338,10 @@ return(e['pid'], e['parent'], 'unknown_hat', [profile, hat, aamode, hat]) elif e['operation'] == 'ptrace': + if not e['peer']: + self.debug_logger.debug('ignored garbage ptrace event with empty peer') + return None + return(e['pid'], e['parent'], 'ptrace', [profile, hat, prog, aamode, e['denied_mask'], e['peer']]) elif e['operation'] == 'signal': === modified file 'utils/test/test-libapparmor-test_multi.py' --- utils/test/test-libapparmor-test_multi.py 2017-03-02 21:21:53 +0000 +++ utils/test/test-libapparmor-test_multi.py 2017-05-19 19:00:14 +0000 @@ -66,6 +66,8 @@ pass elif parsed_items['operation'] == 'exec' and label in ['sock_type', 'family', 'protocol']: pass # XXX 'exec' + network? really? + elif parsed_items['operation'] == 'ptrace' and label == 'name2' and params.endswith('/ptrace_garbage_lp1689667_1'): + pass # libapparmor would better qualify this case as invalid event elif not parsed_items.get(label, None): raise Exception('parsed_items[%s] not set' % label) elif not expected.get(label, None): Regards, Christian Boltz -- [Virenscanner] Stattdessen gehört auf einen Windows-Arbeitsplatz ein guter, selbstaktualisierender lokaler Scanner, der die Windows-Kiste so richtig schön langsam beim Öffnen von Dateien macht, um den Windows-Anwender zu motivieren, auf Linux umzusteigen. [Kristian Koehntopp in suse-linux]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor