[apparmor] [patch] Fix handling of link events in aa-logprof

Seth Arnold seth.arnold at canonical.com
Thu Jan 7 20:07:52 UTC 2016 

On Thu, Jan 07, 2016 at 08:53:11PM +0100, Christian Boltz wrote:
> Fortunately the fix is easy - delete the code with the special handling
> for 'l' events, and the remaining code that handles other file
> permissions just works :-)

>     aa-logprof -f <( echo 'Jan  7 03:11:24 mail kernel: [191223.562261] type=1400 audit(1452136284.727:344): apparmor="ALLOWED" operation="link" profile="/usr/sbin/smbd" name="/foo" pid=10262 comm=616D617669736420286368362D3130 requested_mask="l" denied_mask="l" fsuid=110 ouid=110 target="/bar"')
> 
> should ask to add '/foo l,' to the profile.

This fix seems useful for now, but it'd be _ideal_ if the link operations
would generate the two-argument link rules, like:

link subset /foo -> /bar,

So I'll ACK this but consider what might be involved in preparing the
longer one..

Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks

> 
> 
> I propose this patch for trunk, 2.10 and 2.9.
> 
> 
> [ 63-fix-landling-of-link-events.diff ]
> 
> === modified file ./utils/apparmor/aa.py
> --- utils/apparmor/aa.py        2016-01-07 20:20:08.794298255 +0100
> +++ utils/apparmor/aa.py        2016-01-07 20:20:39.186120312 +0100
> @@ -1218,25 +1218,7 @@
>                      else:
>                          do_execute = True
>  
> -                if mode & apparmor.aamode.AA_MAY_LINK:
> -                    regex_link = re.compile('^from (.+) to (.+)$')
> -                    match = regex_link.search(detail)
> -                    if match:
> -                        path = match.groups()[0]
> -                        target = match.groups()[1]
> -
> -                        frommode = str_to_mode('lr')
> -                        if prelog[aamode][profile][hat]['path'].get(path, False):
> -                            frommode |= prelog[aamode][profile][hat]['path'][path]
> -                        prelog[aamode][profile][hat]['path'][path] = frommode
> -
> -                        tomode = str_to_mode('lr')
> -                        if prelog[aamode][profile][hat]['path'].get(target, False):
> -                            tomode |= prelog[aamode][profile][hat]['path'][target]
> -                        prelog[aamode][profile][hat]['path'][target] = tomode
> -                    else:
> -                        continue
> -                elif mode:
> +                if mode:
>                      path = detail
>  
>                      if prelog[aamode][profile][hat]['path'].get(path, False):
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160107/b1e67c87/attachment.pgp>

More information about the AppArmor mailing list