[apparmor] [patch] let logparser.py parse_event() change disconnected path events to 'ERROR'

[Christian Boltz]

Hallo,

this patch changes logparser.py parse_event() so that it changes
disconnected path events to aamode 'ERROR'.

This means that aa-logprof will ignore the event instead of crashing with
    AppArmorException: 'Unexpected rank input: var/run/nscd/passwd'

Note that I made the check as specific as possible to be sure it doesn't
hide other events.

Ideally we should propose to add the attach_disconnected flag to the 
profile, but implementing that would be a much bigger patch ;-)

References: https://bugzilla.opensuse.org/show_bug.cgi?id=918787

I propose this patch for trunk and 2.9



[ logparser-ignore-disconnected-path-events.diff ]

=== modified file 'utils/apparmor/logparser.py'
--- utils/apparmor/logparser.py 2015-01-17 10:04:12 +0000
+++ utils/apparmor/logparser.py 2015-02-23 20:55:42 +0000
@@ -111,6 +111,7 @@
         ev['pid'] = event.pid
         ev['task'] = event.task
         ev['info'] = event.info
+        ev['error_code'] = event.error_code
         dmask = event.denied_mask
         rmask = event.requested_mask
         ev['magic_token'] = event.magic_token
@@ -162,6 +163,11 @@
             except KeyError:
                 ev['aamode'] = None
 
+        # "translate" disconnected paths to errors, which means the event will be ignored.
+        # XXX Ideally we should propose to add the attach_disconnected flag to the profile
+        if ev['error_code'] == 13 and ev['info'] == 'Failed name lookup - disconnected path':
+            ev['aamode'] = 'ERROR'
+
         if ev['aamode']:
             #debug_logger.debug(ev)
             return ev



Regards,

Christian Boltz
-- 
[SuSE 9.1] Und utf-8 saugt tote Hamster durch Strohhalme, selbst wenn
es funktioniert. [...] Und das alles nur, damit ich Klingonisch native
verarbeiten kann in meinem Rechner.
[http://blog.koehntopp.de/archives/317_Die+schlimmste+aller+Susen.html]