[apparmor] [patch] logparser.py parse_event(): always store family, protocol and sock_type

Christian Boltz apparmor at cboltz.de
Fri Nov 18 23:34:29 UTC 2016 

Hello,

Am Freitag, 18. November 2016, 14:09:58 CET schrieb Seth Arnold:
> On Fri, Nov 18, 2016 at 10:39:10PM +0100, Christian Boltz wrote:
> > I propose this patch for trunk and 2.10.
> > (2.9 logparser.py code is slightly different, and I don't want to
> > risk breaking it)
> > 
> > 
> > [ 01-logparser-always-store-protocol-family-sock_type.diff ]
> > 
> > === modified file ./utils/apparmor/logparser.py
> > --- utils/apparmor/logparser.py	2016-10-14 00:35:27.514276563 +0200
> > +++ utils/apparmor/logparser.py	2016-11-18 22:14:00.909027936 
+0100
> > @@ -133,11 +133,11 @@
> > 
> >          ev['denied_mask'] = event.denied_mask
> >          ev['request_mask'] = event.requested_mask
> >          ev['magic_token'] = event.magic_token
> > 
> > -        if ev['operation'] and (self.op_type(ev['operation']) ==
> > 'net' or event.net_protocol): -            ev['family'] =
> > event.net_family
> > -            ev['protocol'] = event.net_protocol
> > -            ev['sock_type'] = event.net_sock_type
> > +        ev['family'] = event.net_family
> > +        ev['protocol'] = event.net_protocol
> > +        ev['sock_type'] = event.net_sock_type
> 
> I haven't yet checked to see if we guarantee that these are
> intiialized regardless of type. If you've already checked a reference
> would help :)

According to my tests (and test-libapparmor-test_multi.py ;-)  which 
also tests the log to profile "translations") libapparmor seems to always 
set them to None (except for network events, where they obviously 
contain more useful values).

Also, logparser.py only uses those values when they make sense for the 
event type. For most event types, they get stored and ignored.

Note that I did not check the libapparmor code or the swig bindings ;-)

> > -        elif ev['operation'] and ev['operation'] == 'signal':
> > 
> > +        if ev['operation'] and ev['operation'] == 'signal':
> >              ev['signal'] = event.signal
> >              ev['peer'] = event.peer
> >          
> >          elif ev['operation'] and ev['operation'] == 'ptrace':
> So, I have to ask.. why are these still special cased? :)

Because they are not related to file or network events ;-) and I don't 
(yet?) see a need to always have them available.


Actually this patch is part one. The second part will bring some changes 
that are still small enough to be nearly risk-free, and that will finally 
fix some bugs (currently, we simply ignore the affected log events - 
better than a crash, but it still results in an incomplete profile).

I can foresee some more rewrites and cleanups in logparser.py - but 
let's first get 2.11 out, and do the big (and possibly risky) changes 
afterwards ;-)


Regards,

Christian Boltz
-- 
Das wird mit TCPA alles vorbei sein. Nicht, dass Windows dann stabiler
läuft, aber auch die Abstürze sind zertifiziert.
[Matthias Houdek in linux-liste]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161119/48ef15a8/attachment.pgp>

More information about the AppArmor mailing list