diff --git a/utils/apparmor/logparser.py b/utils/apparmor/logparser.py index 37bb27113..ca968b2fc 100644 --- a/utils/apparmor/logparser.py +++ b/utils/apparmor/logparser.py @@ -263,20 +263,16 @@ class ReadLog: else: self.debug_logger.debug('add_event_to_tree: dropped exec event in %s' % e['profile']) - elif 'file_' in e['operation']: - self.add_to_tree(e['pid'], e['parent'], 'path', - [profile, hat, prog, aamode, e['denied_mask'], e['name'], '']) - elif e['operation'] in ['open', 'truncate', 'mkdir', 'mknod', 'rename_src', - 'rename_dest', 'unlink', 'rmdir', 'symlink_create', 'link']: + elif ( e['operation'].startswith('file_') or + e['operation'] in ['open', 'truncate', 'mkdir', 'mknod', 'rename_src', + 'rename_dest', 'unlink', 'rmdir', 'symlink_create', 'link', + 'sysctl', 'getattr', 'setattr', 'xattr'] ): #print(e['operation'], e['name']) self.add_to_tree(e['pid'], e['parent'], 'path', [profile, hat, prog, aamode, e['denied_mask'], e['name'], '']) elif e['operation'] == 'capable': self.add_to_tree(e['pid'], e['parent'], 'capability', [profile, hat, prog, aamode, e['name'], '']) - elif e['operation'] == 'setattr' or 'xattr' in e['operation']: - self.add_to_tree(e['pid'], e['parent'], 'path', - [profile, hat, prog, aamode, e['denied_mask'], e['name'], '']) elif 'inode_' in e['operation']: is_domain_change = False if e['operation'] == 'inode_permission' and (e['denied_mask'] & AA_MAY_EXEC) and aamode == 'PERMITTING': @@ -294,10 +290,6 @@ class ReadLog: self.add_to_tree(e['pid'], e['parent'], 'path', [profile, hat, prog, aamode, e['denied_mask'], e['name'], '']) - elif e['operation'] == 'sysctl': - self.add_to_tree(e['pid'], e['parent'], 'path', - [profile, hat, prog, aamode, e['denied_mask'], e['name'], '']) - elif e['operation'] == 'clone': parent, child = e['pid'], e['task'] if not parent: