[apparmor] [PATCH] utils: Ignore unsupported log events
Tyler Hicks
tyhicks at canonical.com
Sat Oct 26 03:48:49 UTC 2013
The log parsing in the Immunix::AppArmor perl module has fallen behind
when it comes to audit events from some of the newer rule types
supported by apparmor_parser.
When an unsupported event is found, it causes aa-logprof to error out.
This patch creates a list of valid, but unsupported, event operations
that should be ignored by the perl module when parsing logs.
https://launchpad.net/bugs/1243932
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
utils/Immunix/AppArmor.pm | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/utils/Immunix/AppArmor.pm b/utils/Immunix/AppArmor.pm
index 01b82c8..23c2a1a 100755
--- a/utils/Immunix/AppArmor.pm
+++ b/utils/Immunix/AppArmor.pm
@@ -6714,6 +6714,11 @@ sub parse_event($) {
LibAppArmor::free_record($event);
+ if ($ev{'operation'} && $ev{'operation'} =~ /^(capable|dbus|mount|pivotroot|umount)/) {
+ $DEBUGGING && debug("parser_event: previous event IGNORED");
+ return( undef );
+ }
+
#map new c and d to w as logprof doesn't support them yet
if ($rmask) {
$rmask =~ s/c/w/g;
--
1.8.3.2
More information about the AppArmor
mailing list