Hello, Am Donnerstag, 29. Oktober 2015 schrieb Kshitij Gupta: > On Fri, Oct 23, 2015 at 3:31 PM, Christian Boltz wrote: > > BTW: when I test the log entry > > > > Oct 22 15:57:38 NR021AA kernel: [ 69.827705] audit: type=1400 > > > > audit(1445522258.769:1054): apparmor="DENIED" > > operation="file_inherit" > > profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2407 > > comm="nm-dhcp-client." lport=10580 family="inet6" sock_type="dgram" > > protocol=17 > > with test_multi.multi, it tells me > > > > Event type: AA_RECORD_INVALID > > > > Is that really the expected result? > > I'll let someone else take a stab at answering this.
After some discussion on #apparmor with John, I found out that it uses a log format that is not supported by libapparmor, and that the reporter probably used libapparmor from 2.8 (!). I added the log format to https://bugs.launchpad.net/apparmor/+bug/1453300 which is already a collection of some unsupported log formats. (Getting them fixed for 2.10.1 and 2.9.3 would be nice ;-) > > + if e['operation'] in ['file_perm', 'file_inherit'] and > > e['request_mask'] is None: > > self.debug_logger.debug('UNHANDLED (missing > > request_mask): %s' % e) > > return None > > > Ideally we should have: STRANGE_OPERATIONS_WITHOUT_MASKS = > ['file_perm', 'file_inherit'] > (I thought of calling it *Stanley Ipkiss*[1], but am open to other > options too.) ;-) > followed by: if e['operation'] in STRANGE_OPERATIONS_WITHOUT_MASKS and > e['request_mask'] is None. > > With/without the change. I commited it unchanged. On the long term, I could imagine to check the event details - something like "looks like a network event (has family, sock_type etc.), so let's assume it's a network event asking for inet6 dgram". Regards, Christian Boltz -- >Gibt es hier in dieser Liste eigentlich ausser mir noch jemanden ?? Nein, aber es laufen einige Robots, die Traffic vortäuschen. Ich bin auch einer davon. [Tobias Korb und Thorsten Haude in suse-programming] -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
