[apparmor] [patch] Ignore file_perm events without request_mask

[Christian Boltz]

Hello,

for some (not yet known) reason, we get file_perm events without
request_mask set, which causes an aa-logprof crash.

Reproducer log entry:
Jun 19 12:00:55 piorun kernel: [4475115.459952] audit: type=1400 audit(1434708055.676:19629): apparmor="ALLOWED" operation="file_perm" profile="/usr/sbin/apache2" pid=3512 comm="apache2" laddr=::ffff:193.0.236.159 lport=80 faddr=::ffff:192.168.103.80 fport=61985 family="inet6" sock_type="stream" protocol=6

This patch changes logparser.py to ignore those events.

References: https://bugs.launchpad.net/apparmor/+bug/1466812/


I propose this patch for trunk and 2.9.




[ 54-logparser-fileperm-without-request_mask-lp1466812.diff ]

=== modified file utils/apparmor/logparser.py
--- utils/apparmor/logparser.py 2015-04-03 17:41:51.355126519 +0200
+++ utils/apparmor/logparser.py 2015-06-21 20:36:30.170413044 +0200
@@ -253,6 +253,11 @@
                                 'rename_dest', 'unlink', 'rmdir', 'symlink_create', 'link',
                                 'sysctl', 'getattr', 'setattr', 'xattr'] ):
 
+            # for some reason, we get file_perm log events without request_mask, see https://bugs.launchpad.net/apparmor/+bug/1466812/
+            if e['operation'] == 'file_perm' and e['request_mask'] is None:
+                self.debug_logger.debug('UNHANDLED (missing request_mask): %s' % e)
+                return
+
             # Map c (create) to a and d (delete) to w (logging is more detailed than the profile language)
             rmask = e['request_mask']
             rmask = rmask.replace('c', 'a')



Regards,

Christian Boltz
-- 
Gibt es ein Buch über das maßvolle Verwenden von Fußnoten?
Wenn ja, dann bin ich bereit, Dir ein Exemplar zu schicken.
[Thorsten Haude zu David Haller in sl-etikette]