[apparmor] [patch] Ignore change_hat events with error=-1 and "unconfined can not change_hat"

Christian Boltz apparmor at cboltz.de
Wed Feb 22 23:49:46 UTC 2017 

Hello,

$subject.
That's much better than crashing aa-logprof ;-)  (use the log line in
the added testcase if you want to see the crash)

Reported by pfak on IRC.


I propose this patch for trunk, 2.10 and 2.9.


[ 01-logparser-unconfined-change_hat.diff ]

--- utils/apparmor/logparser.py 2017-01-19 23:22:16.148279403 +0100
+++ utils/apparmor/logparser.py 2017-02-23 00:21:24.402771048 +0100
@@ -249,6 +249,8 @@
         if e['operation'] == 'change_hat':
             if aamode != 'HINT' and aamode != 'PERMITTING':
                 return None
+            if e['error_code'] == 1 and e['info'] == 'unconfined can not change_hat':
+                return None
             profile = e['name2']
             #hat = None
             if '//' in e['name2']:
=== added file 'libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.err'
=== added file 'libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.in'
--- libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.in 1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.in 2017-02-22 23:15:02 +0000
@@ -0,0 +1,1 @@
+Feb 21 23:22:01 mail-20170118 kernel: [1222198.459750] audit: type=1400 audit(1487719321.954:218): apparmor="ALLOWED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=19941 comm="apache2"

=== added file 'libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.out'
--- libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.out        1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.out        2017-02-22 23:15:17 +0000
@@ -0,0 +1,12 @@
+START
+File: unconfined-change_hat.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1487719321.954:218
+Operation: change_hat
+Profile: unconfined
+Command: apache2
+Info: unconfined can not change_hat
+ErrorCode: 1
+PID: 19941
+Epoch: 1487719321
+Audit subid: 218

=== added file 'libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.profile'
--- libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.profile    1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.profile    2017-02-22 23:20:06 +0000
@@ -0,0 +1,2 @@
+profile unconfined {
+}


Regards,

Christian Boltz
-- 
> > .domain.intern smpt:[mx.domain.intern]
> Du meinst sicher smtp und nicht smpt. :-)
Du kennst den "Senseless Mailinglist Protocol Typo" nicht? ;-)
[> Michael Neufing und (>>) Gregor Hermens in postfixbuch-users]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170223/ace19ba3/attachment.pgp>

More information about the AppArmor mailing list