On 12/08/2015 11:40 AM, Christian Boltz wrote: > Hello, > > $subject. > > In detail, this means: > - handle ptrace events in logparser.py > - "translate" those events in aa.py - from log (logparser.py readlog()) > to prelog (handle_children()) to log_dict (collapse_log()) to > log_obj (ask_the_questions()) > (yes, really! :-/ - needless to say that this is ugly...) [1] > - finally ask the user about the ptrace in ask_the_questions() > > Also add a logparser test to test-ptrace.py to ensure the logparser step > works as expected. > > Note that the aa.py changes are not covered by tests, however they > worked in a manual test. > > > If you want to test manually, try this (faked) log line: > msg=audit(1409700683.304:547661): apparmor="DENIED" operation="ptrace" > profile="/usr/sbin/smbd" pid=22465 comm="ptrace" requested_mask="trace" > denied_mask="trace" peer="/foo/bar" > >
With [1] noted, my eyes, my poor eyes! Acked-by: John Johansen <[email protected]> > > [ 34-add-ptrace-support-to-logprof.diff ] > > === modified file ./utils/apparmor/aa.py > --- utils/apparmor/aa.py 2015-12-08 19:02:56.576044028 +0100 > +++ utils/apparmor/aa.py 2015-12-08 19:20:49.530494937 +0100 > @@ -1157,6 +1157,16 @@ > continue > prelog[aamode][profile][hat]['capability'][capability] = True > > + elif typ == 'ptrace': > + # If ptrace then we (should) have pid, profile, hat, > program, mode, access and peer > + pid, p, h, prog, aamode, access, peer = entry > + if not regex_nullcomplain.search(p) and not > regex_nullcomplain.search(h): > + profile = p > + hat = h > + if not profile or not hat: > + continue > + prelog[aamode][profile][hat]['ptrace'][peer][access] = True > + > elif typ == 'signal': > # If signal then we (should) have pid, profile, hat, > program, mode, access, signal and peer > pid, p, h, prog, aamode, access, signal, peer = entry > @@ -1672,6 +1682,11 @@ > log_obj[profile][hat]['network'].add(network_obj) > > > + for peer in > sorted(log_dict[aamode][profile][hat]['ptrace'].keys()): > + for access in > sorted(log_dict[aamode][profile][hat]['ptrace'][peer].keys()): > + ptrace_obj = PtraceRule(access, peer, > log_event=aamode) > + log_obj[profile][hat]['ptrace'].add(ptrace_obj) > + > for peer in > sorted(log_dict[aamode][profile][hat]['signal'].keys()): > for access in > sorted(log_dict[aamode][profile][hat]['signal'][peer].keys()): > for signal in > sorted(log_dict[aamode][profile][hat]['signal'][peer][access].keys()): > @@ -2503,6 +2518,12 @@ > if not is_known_rule(aa[profile][hat], 'network', > NetworkRule(family, sock_type)): > > log_dict[aamode][profile][hat]['netdomain'][family][sock_type] = True > > + ptrace = prelog[aamode][profile][hat]['ptrace'] > + for peer in ptrace.keys(): > + for access in ptrace[peer].keys(): > + if not is_known_rule(aa[profile][hat], 'ptrace', > PtraceRule(access, peer)): > + > log_dict[aamode][profile][hat]['ptrace'][peer][access] = True > + > sig = prelog[aamode][profile][hat]['signal'] > for peer in sig.keys(): > for access in sig[peer].keys(): > === modified file ./utils/apparmor/logparser.py > --- utils/apparmor/logparser.py 2015-12-06 19:36:00.814745352 +0100 > +++ utils/apparmor/logparser.py 2015-12-08 19:18:21.191439433 +0100 > @@ -362,6 +362,9 @@ > elif e['operation'] == 'change_hat': > return(e['pid'], e['parent'], 'unknown_hat', > [profile, hat, aamode, hat]) > + elif e['operation'] == 'ptrace': > + return(e['pid'], e['parent'], 'ptrace', > + [profile, hat, prog, aamode, e['denied_mask'], > e['peer']]) > elif e['operation'] == 'signal': > return(e['pid'], e['parent'], 'signal', > [profile, hat, prog, aamode, e['denied_mask'], > e['signal'], e['peer']]) > > > > Regards, > > Christian Boltz > > [1] I already said that when adding signal support, and making it less > ugly is on my TODO list ;-) > -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
