[apparmor] [patch] let logparser.py ignore file_inherit events without request_mask

Christian Boltz apparmor at cboltz.de
Wed Oct 28 21:50:16 UTC 2015 

Hello,

Am Donnerstag, 29. Oktober 2015 schrieb Kshitij Gupta:
> On Fri, Oct 23, 2015 at 3:31 PM, Christian Boltz wrote:
> > BTW: when I test the log entry
> > 
> >     Oct 22 15:57:38 NR021AA kernel: [ 69.827705] audit: type=1400
> > 
> > audit(1445522258.769:1054): apparmor="DENIED"
> > operation="file_inherit"
> > profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2407
> > comm="nm-dhcp-client." lport=10580 family="inet6" sock_type="dgram"
> > protocol=17
> > with test_multi.multi, it tells me
> > 
> >     Event type: AA_RECORD_INVALID
> > 
> > Is that really the expected result?
> 
> I'll let someone else take a stab at answering this.

After some discussion on #apparmor with John, I found out that it uses a 
log format that is not supported by libapparmor, and that the reporter 
probably used libapparmor from 2.8 (!).

I added the log format to 
https://bugs.launchpad.net/apparmor/+bug/1453300
which is already a collection of some unsupported log formats.
(Getting them fixed for 2.10.1 and 2.9.3 would be nice ;-)

> > +            if e['operation'] in ['file_perm', 'file_inherit'] and
> > e['request_mask'] is None:
> >                  self.debug_logger.debug('UNHANDLED (missing
> > request_mask): %s' % e)
> >                  return None
> > 
> Ideally we should have: STRANGE_OPERATIONS_WITHOUT_MASKS = 
> ['file_perm', 'file_inherit']
> (I thought of calling it *Stanley Ipkiss*[1], but am open to other
> options too.)

;-)

> followed by: if e['operation'] in STRANGE_OPERATIONS_WITHOUT_MASKS and
> e['request_mask'] is None.
> 
> With/without the change.

I commited it unchanged.

On the long term, I could imagine to check the event details - something 
like "looks like a network event (has family, sock_type etc.), so let's 
assume it's a network event asking for inet6 dgram".


Regards,

Christian Boltz
-- 
>Gibt es hier in dieser Liste eigentlich ausser mir noch jemanden ??
Nein, aber es laufen einige Robots, die Traffic vortäuschen. Ich bin
auch einer davon.
[Tobias Korb und Thorsten Haude in suse-programming]

More information about the AppArmor mailing list