[apparmor] [patch] let logparser.py parse_event() change disconnected path events to 'ERROR'

Steve Beattie steve at nxnw.org
Sat Feb 28 08:22:14 UTC 2015 

On Mon, Feb 23, 2015 at 10:04:28PM +0100, Christian Boltz wrote:
> Hallo,
> 
> this patch changes logparser.py parse_event() so that it changes
> disconnected path events to aamode 'ERROR'.
> 
> This means that aa-logprof will ignore the event instead of crashing with
>     AppArmorException: 'Unexpected rank input: var/run/nscd/passwd'
> 
> Note that I made the check as specific as possible to be sure it doesn't
> hide other events.
> 
> Ideally we should propose to add the attach_disconnected flag to the 
> profile, but implementing that would be a much bigger patch ;-)
> 
> References: https://bugzilla.opensuse.org/show_bug.cgi?id=918787
> 
> I propose this patch for trunk and 2.9

Acked-by: Steve Beattie <steve at nxnw.org> for trunk if the following fix
is added to test/test-capability.py so that the tests succeed:
---
 utils/test/test-capability.py |    1 +
 1 file changed, 1 insertion(+)

Index: b/utils/test/test-capability.py
===================================================================
--- a/utils/test/test-capability.py
+++ b/utils/test/test-capability.py
@@ -104,6 +104,7 @@ class CapabilityTest(unittest.TestCase):
         self.assertEqual(parsed_event, {
             'request_mask': set(),
             'denied_mask': set(),
+            'error_code': 0,
             'magic_token': 0,
             'parent': 0,
             'profile': '/bin/ping',

> === modified file 'utils/apparmor/logparser.py'
> --- utils/apparmor/logparser.py 2015-01-17 10:04:12 +0000
> +++ utils/apparmor/logparser.py 2015-02-23 20:55:42 +0000
> @@ -111,6 +111,7 @@
>          ev['pid'] = event.pid
>          ev['task'] = event.task
>          ev['info'] = event.info
> +        ev['error_code'] = event.error_code
>          dmask = event.denied_mask
>          rmask = event.requested_mask
>          ev['magic_token'] = event.magic_token
> @@ -162,6 +163,11 @@
>              except KeyError:
>                  ev['aamode'] = None
>  
> +        # "translate" disconnected paths to errors, which means the event will be ignored.
> +        # XXX Ideally we should propose to add the attach_disconnected flag to the profile
> +        if ev['error_code'] == 13 and ev['info'] == 'Failed name lookup - disconnected path':
> +            ev['aamode'] = 'ERROR'
> +
>          if ev['aamode']:
>              #debug_logger.debug(ev)
>              return ev

Thanks.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150228/202913f0/attachment.pgp>

More information about the AppArmor mailing list