Hello, 'change_hat' events have the target profile in 'name2', not in 'name' (which is None and therefore causes a crash when checking if it contains '//')
Also add the log event causing this crash to the libapparmor testsuite. References: https://bugs.launchpad.net/apparmor/+bug/1523297 I propose this patch for trunk, 2.10 and 2.9. [ 35-logparser-fix-change_hat-crash.diff ] === modified file ./utils/apparmor/logparser.py --- utils/apparmor/logparser.py 2015-12-08 19:30:43.210864711 +0100 +++ utils/apparmor/logparser.py 2015-12-08 22:32:35.942935356 +0100 @@ -260,10 +260,10 @@ if e['operation'] == 'change_hat': if aamode != 'HINT' and aamode != 'PERMITTING': return None - profile = e['name'] + profile = e['name2'] #hat = None - if '//' in e['name']: - profile, hat = e['name'].split('//')[:2] + if '//' in e['name2']: + profile, hat = e['name2'].split('//')[:2] if not hat: hat = profile === added file ./libraries/libapparmor/testsuite/test_multi/testcase_changehat_01.in --- libraries/libapparmor/testsuite/test_multi/testcase_changehat_01.in 2015-12-08 22:37:50.613264112 +0100 +++ libraries/libapparmor/testsuite/test_multi/testcase_changehat_01.in 2015-12-08 22:04:34.079794942 +0100 @@ -0,0 +1 @@ +type=AVC msg=audit(1449442292.901:961): apparmor="ALLOWED" operation="change_hat" profile="/usr/sbin/httpd{,2}-prefork" pid=8527 comm="httpd-prefork" target="/usr/sbin/httpd{,2}-prefork//HANDLING_UNTRUSTED_INPUT" === added file ./libraries/libapparmor/testsuite/test_multi/testcase_changehat_01.out --- libraries/libapparmor/testsuite/test_multi/testcase_changehat_01.out 2015-12-08 22:37:52.369254773 +0100 +++ libraries/libapparmor/testsuite/test_multi/testcase_changehat_01.out 2015-12-08 22:04:52.459698695 +0100 @@ -0,0 +1,11 @@ +START +File: testcase_changehat_01.in +Event type: AA_RECORD_ALLOWED +Audit ID: 1449442292.901:961 +Operation: change_hat +Profile: /usr/sbin/httpd{,2}-prefork +Command: httpd-prefork +Name2: /usr/sbin/httpd{,2}-prefork//HANDLING_UNTRUSTED_INPUT +PID: 8527 +Epoch: 1449442292 +Audit subid: 961 Regards, Christian Boltz -- Hm, mich hat Frust in meiner Linuxanfangszeit doch eher beflügelt, ich hab mir gedacht, dem Schrotthaufen Code zeig ich mal, wer die Hosen anhat. Wobei, ich zappel wohl hier immer noch eher in einem Strampelanzug herum ;) [Thorsten von Plotho-Kettner in suse-linux] -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
