[apparmor] [patch] logparser.py parse_event(): always store family, protocol and sock_type
Christian Boltz
apparmor at cboltz.de
Fri Nov 18 21:39:10 UTC 2016
Hello,
$subject.
Storing these event details depending on the operation type only makes
things more difficult because it's hard to differenciate between file
and network events.
Note that this happens at the first log parsing stage (libapparmor log
event -> temporary python array) and therefore doesn't add a serious
memory footprint. The event tree will still only contain the elements
relevant for the actual event type.
This change means that lots of testcases now get 3 more fields (all
None) when testing parse_event(), so update all affected testcases.
(test-network doesn't need a change for probably obvious reasons.)
Also rename a misnamed test in test-change_profile.
I propose this patch for trunk and 2.10.
(2.9 logparser.py code is slightly different, and I don't want to risk
breaking it)
[ 01-logparser-always-store-protocol-family-sock_type.diff ]
=== modified file ./utils/apparmor/logparser.py
--- utils/apparmor/logparser.py 2016-10-14 00:35:27.514276563 +0200
+++ utils/apparmor/logparser.py 2016-11-18 22:14:00.909027936 +0100
@@ -133,11 +133,11 @@
ev['denied_mask'] = event.denied_mask
ev['request_mask'] = event.requested_mask
ev['magic_token'] = event.magic_token
- if ev['operation'] and (self.op_type(ev['operation']) == 'net' or event.net_protocol):
- ev['family'] = event.net_family
- ev['protocol'] = event.net_protocol
- ev['sock_type'] = event.net_sock_type
+ ev['family'] = event.net_family
+ ev['protocol'] = event.net_protocol
+ ev['sock_type'] = event.net_sock_type
+
- elif ev['operation'] and ev['operation'] == 'signal':
+ if ev['operation'] and ev['operation'] == 'signal':
ev['signal'] = event.signal
ev['peer'] = event.peer
elif ev['operation'] and ev['operation'] == 'ptrace':
=== modified file ./utils/test/test-capability.py
--- utils/test/test-capability.py 2016-10-01 21:00:58.949770000 +0200
+++ utils/test/test-capability.py 2016-11-18 22:15:52.772516024 +0100
@@ -118,7 +118,10 @@
'task': 0,
'attr': None,
'name2': None,
- 'name': 'net_raw'
+ 'name': 'net_raw',
+ 'family': None,
+ 'protocol': None,
+ 'sock_type': None,
})
obj = CapabilityRule(parsed_event['name'], log_event=parsed_event)
=== modified file ./utils/test/test-change_profile.py
--- utils/test/test-change_profile.py 2016-10-01 21:00:58.949770000 +0200
+++ utils/test/test-change_profile.py 2016-11-18 22:15:24.688644552 +0100
@@ -92,7 +92,7 @@
ChangeProfileRule.parse(rawrule)
class ChangeProfileTestParseFromLog(ChangeProfileTest):
- def test_net_from_log(self):
+ def test_change_profile_from_log(self):
parser = ReadLog('', '', '', '', '')
event = 'type=AVC msg=audit(1428699242.551:386): apparmor="DENIED" operation="change_profile" profile="/foo/changeprofile" pid=3459 comm="changeprofile" target="/foo/rename"'
@@ -106,7 +106,6 @@
'request_mask': None,
'denied_mask': None,
'error_code': 0,
- #'family': 'inet',
'magic_token': 0,
'parent': 0,
'profile': '/foo/changeprofile',
@@ -121,6 +120,9 @@
'attr': None,
'name2': '/foo/rename', # target
'name': None,
+ 'family': None,
+ 'protocol': None,
+ 'sock_type': None,
})
obj = ChangeProfileRule(None, ChangeProfileRule.ALL, parsed_event['name2'], log_event=parsed_event)
=== modified file ./utils/test/test-dbus.py
--- utils/test/test-dbus.py 2016-10-01 21:00:58.949770000 +0200
+++ utils/test/test-dbus.py 2016-11-18 22:04:17.295650986 +0100
@@ -145,6 +145,9 @@
'path': '/org/freedesktop/DBus',
'interface': 'org.freedesktop.DBus',
'member': 'Hello',
+ 'family': None,
+ 'protocol': None,
+ 'sock_type': None,
})
# XXX send rules must not contain name conditional, but the log event includes it - how should we handle this in logparser.py?
=== modified file ./utils/test/test-file.py
--- utils/test/test-file.py 2016-10-09 16:05:48.322715610 +0200
+++ utils/test/test-file.py 2016-11-18 22:16:15.708411051 +0100
@@ -158,6 +158,9 @@
'pid': 13726,
'task': 0,
'attr': None,
+ 'family': None,
+ 'protocol': None,
+ 'sock_type': None,
})
#FileRule# path, perms, exec_perms, target, owner, file_keyword, leading_perms
=== modified file ./utils/test/test-logparser.py
--- utils/test/test-logparser.py 2015-10-03 17:18:12.740213942 +0200
+++ utils/test/test-logparser.py 2016-11-18 22:16:35.164322001 +0100
@@ -85,6 +85,9 @@
'resource': 'Failed name lookup - disconnected path',
'task': 0,
- 'time': 1424425690
+ 'time': 1424425690,
+ 'family': None,
+ 'protocol': None,
+ 'sock_type': None,
})
self.assertIsNotNone(ReadLog.RE_LOG_ALL.search(event))
=== modified file ./utils/test/test-ptrace.py
--- utils/test/test-ptrace.py 2016-10-01 21:00:58.949770000 +0200
+++ utils/test/test-ptrace.py 2016-11-18 22:16:58.184216636 +0100
@@ -109,6 +109,9 @@
'attr': None,
'name2': None,
'name': None,
+ 'family': None,
+ 'protocol': None,
+ 'sock_type': None,
})
obj = PtraceRule(parsed_event['denied_mask'], parsed_event['peer'], log_event=parsed_event)
=== modified file ./utils/test/test-signal.py
--- utils/test/test-signal.py 2016-10-01 21:00:58.949770000 +0200
+++ utils/test/test-signal.py 2016-11-18 22:04:53.759489041 +0100
@@ -114,6 +114,9 @@
'attr': None,
'name2': None,
'name': None,
+ 'family': None,
+ 'protocol': None,
+ 'sock_type': None,
})
obj = SignalRule(parsed_event['denied_mask'], parsed_event['signal'], parsed_event['peer'], log_event=parsed_event)
Regards,
Christian Boltz
--
> Die M$-Kombination aus Server2003+Exchange ist meiner Meinung nach
> das einzig vernünftige Produkt von Billyboy.
Das muss der Grund sein, warum es bei Würmern und Trojanern so beliebt
ist. ["office" und Jens Benecke in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161118/daf9e996/attachment-0001.pgp>
More information about the AppArmor
mailing list