On Sun, Jul 31, 2016 at 5:37 PM, Christian Boltz <[email protected]> wrote: > Hello, > > Am Freitag, 29. Juli 2016, 16:46:50 CEST schrieb Tyler Hicks: >> On 07/29/2016 04:06 PM, Christian Boltz wrote: >> > we already ignore network events that look like file events (based >> > on the operation keyword) if they have a request_mask of 'send' or >> > 'receive' to avoid aa-logprof crashes because of "unknown" >> > permissions. It turned out that both can happen at once, so we >> > should also ignore this case. >> > >> > Also add the now-ignored log event as test_multi testcase. >> > >> > References: https://bugs.launchpad.net/apparmor/+bug/1577051 #13 >> > >> > I propose this patch for trunk, 2.10 and 2.9. >> >> Acked-by: Tyler Hicks <[email protected]> >> >> Thanks for getting to this fix so quickly! > > I just found out that I did it a bit too quick - I did run the testsuite > after changing logparser.py, but didn't re-run it after adding > testcase_network_send_receive.* to the test_multi testsuite - and this > test causes a test failure in utils/test/test-libapparmor-test_multi.py > because network family, protocol and sock_type aren't set for events > that look like a file event. > > The patch below fixes this (and is a baby step towards guessing the > event type based on the event content instead of operation=...) > > > [patch] logparser: store network-related params if an event looks like network > > Network events can come with an operation= that looks like a file event. > Nevertheless, if the event has a typical network parameter (like > net_protocol) set, make sure to store the network-related flags in ev. > > This fixes the test failure introduced in my last commit. > > > I propose this patch for trunk, 2.10 and 2.9. > > > [ 01-logparser-more-network.diff ] > > === modified file 'utils/apparmor/logparser.py' > --- utils/apparmor/logparser.py 2016-07-29 22:41:43 +0000 > +++ utils/apparmor/logparser.py 2016-07-31 11:46:07 +0000 > @@ -133,7 +133,7 @@ > ev['denied_mask'] = event.denied_mask > ev['request_mask'] = event.requested_mask > ev['magic_token'] = event.magic_token > - if ev['operation'] and self.op_type(ev['operation']) == 'net': > + if ev['operation'] and self.op_type(ev['operation']) == 'net' or > event.net_protocol: Maybe swap around the or operator and maybe sprinkle in a pinch of parentheses[1].
> ev['family'] = event.net_family > ev['protocol'] = event.net_protocol > ev['sock_type'] = event.net_sock_type > > LGTM. Acked-by: Kshitij Gupta <[email protected]> > > > > > Regards, > > Christian Boltz > -- > Dieser Indizierungsmurks. Semantikgefuckel, dass das System > unbenutzbar macht. > Aber gut, dass man zwei Knie hat, in die man sich schießen kann. > [Lars Müller in opensuse-de] > > -- > AppArmor mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/apparmor > [1]: http://programmers.stackexchange.com/a/201187 -- Regards, Kshitij Gupta -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
