[apparmor] [patch] [1/2] support 'owner' file events in logparser.py

Seth Arnold seth.arnold at canonical.com
Mon Jul 31 19:27:23 UTC 2017 

On Sun, Jul 30, 2017 at 10:51:38PM +0200, Christian Boltz wrote:
> Hello,
> 
> logparser.py failed to notice if file events are owner-only in modern
> audit.log (using fsuid=... and ouid=...).
> 
> This patch adds a comparison of fsuid and ouid and marks file events
> as 'owner' if they match.
> 
> Note that log events without fsuid=... or ouid=... will have
> 18446744073709551615 as fsuid / ouid value (that's 2^64 - 1).
> 'None' would clearly be better ;-)
> 
> 
> References: https://bugs.launchpad.net/apparmor/+bug/1538340
> 
> 
> I propose this patch for trunk and 2.11
> (unfortunately it doesn't work on 2.10)
> 
> 
> [ 02-logparser-owner.diff ]
> 
> === modified file ./utils/apparmor/logparser.py
> --- utils/apparmor/logparser.py 2017-07-16 21:43:30.718865501 +0200
> +++ utils/apparmor/logparser.py 2017-07-30 21:56:10.829026386 +0200
> @@ -118,6 +118,10 @@
>          ev['protocol'] = event.net_protocol
>          ev['sock_type'] = event.net_sock_type
>  
> +        if event.ouid != 18446744073709551615:  # 2^64 - 1
> +            ev['fsuid'] = event.fsuid
> +            ev['ouid'] = event.ouid
> +

Why is this one UID handled magically?

>          if ev['operation'] and ev['operation'] == 'signal':
>              ev['signal'] = event.signal
>              ev['peer'] = event.peer
> @@ -270,6 +274,13 @@
>              if not validate_log_mode(hide_log_mode(dmask)):
>                  raise AppArmorException(_('Log contains unknown mode %s') % dmask)
>  
> +            if e.get('ouid') is not None and e['fsuid'] == e['ouid']:
> +                # mark as "owner" event
> +                if '::' not in rmask:
> +                    rmask = '%s::' % rmask
> +                if '::' not in dmask:
> +                    dmask = '%s::' % dmask
> +

Just to double-check, the whole test suite still runs after this change?
It feels kind of big :)

>              # convert rmask and dmask to mode arrays
>              # XXX log_str_to_mode() converts 'w' to 'aw', which later causes a conflict in FileRule
>              e['denied_mask'],  e['name2'] = log_str_to_mode(e['profile'], dmask, e['name2'])
> === modified file ./utils/test/test-logparser.py
> --- utils/test/test-logparser.py        2016-11-18 22:34:24.699780229 +0100
> +++ utils/test/test-logparser.py        2017-07-30 21:53:41.609658482 +0200
> @@ -73,11 +73,13 @@
>              'attr': None,
>              'denied_mask': 'r',
>              'error_code': 13,
> +            'fsuid': 1002,
>              'info': 'Failed name lookup - disconnected path',
>              'magic_token': 0,
>              'name': 'var/run/nscd/passwd',
>              'name2': None,
>              'operation': 'file_mmap',
> +            'ouid': 0,
>              'parent': 0,
>              'pid': 25333,
>              'profile': '/sbin/klogd',
> 

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170731/b3d9d129/attachment.pgp>

More information about the AppArmor mailing list