Hello, we already ignore network events that look like file events (based on the operation keyword) if they have a request_mask of 'send' or 'receive' to avoid aa-logprof crashes because of "unknown" permissions. It turned out that both can happen at once, so we should also ignore this case.
Also add the now-ignored log event as test_multi testcase. References: https://bugs.launchpad.net/apparmor/+bug/1577051 #13 I propose this patch for trunk, 2.10 and 2.9. [ 01-logparser-send-receive.diff ] --- utils/apparmor/logparser.py 2016-06-05 20:28:24.214423206 +0200 +++ utils/apparmor/logparser.py 2016-07-29 22:56:57.660828070 +0200 @@ -310,7 +310,7 @@ # sometimes network events come with an e['operation'] that matches the list of file operations # see https://bugs.launchpad.net/apparmor/+bug/1577051 and https://bugs.launchpad.net/apparmor/+bug/1582374 # XXX these events are network events, so we should map them as such - if e['request_mask'] in ('send', 'receive'): + if 'send' in e['request_mask'] or 'receive' in e['request_mask']: self.debug_logger.debug('UNHANDLED (request_mask is send or receive): %s' % e) return None === added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.err' === added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in' --- libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in 1970-01-01 00:00:00 +0000 +++ libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in 2016-07-29 20:59:48 +0000 @@ -0,0 +1,1 @@ +Jul 29 11:42:05 files kernel: [483212.877816] audit: type=1400 audit(1469785325.122:21021): apparmor="ALLOWED" operation="file_inherit" profile="/usr/bin/nginx-amplify-agent.py//null-/bin/dash" pid=18239 comm="sh" laddr=192.168.10.3 lport=50758 faddr=54.153.70.241 fport=443 family="inet" sock_type="stream" protocol=6 requested_mask="send receive" denied_mask="send receive" === added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out' --- libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out 1970-01-01 00:00:00 +0000 +++ libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out 2016-07-29 21:00:03 +0000 @@ -0,0 +1,19 @@ +START +File: testcase_network_send_receive.in +Event type: AA_RECORD_ALLOWED +Audit ID: 1469785325.122:21021 +Operation: file_inherit +Mask: send receive +Denied Mask: send receive +Profile: /usr/bin/nginx-amplify-agent.py//null-/bin/dash +Command: sh +PID: 18239 +Network family: inet +Socket type: stream +Protocol: tcp +Local addr: 192.168.10.3 +Foreign addr: 54.153.70.241 +Local port: 50758 +Foreign port: 443 +Epoch: 1469785325 +Audit subid: 21021 Regards, Christian Boltz -- Nun, wenn man so einen schwachen Rechner hat, kann man halt nur einen von beiden zur Zeit laufen lassen. Man braucht trotzdem beide. Der Elektroherd wird sich ja auch nicht, blos weil nur eine Steckdose da ist, erbarmen und plötzlich zu mixen beginnen, oder? [Adalbert Michelic in suse-linux]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
