Fix aa-logprof crash on ptrace garbage log events

(garbage) ptrace events like
    ... apparmor="DENIED" operation="ptrace" profile="/bin/netstat" pid=1962 comm="netstat" target=""
cause an empty name2 field, which leads to a crash in the tools.

This patch lets logparser.py ignore such garbage log events, which also
avoids the crash.

As usual, add some testcases.

test-libapparmor-test_multi.py needs some special handling to ignore the
empty name2 field in one of the testcases.


References: https://bugs.launchpad.net/apparmor/+bug/1689667


Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.11.

Older releases can't handle ptrace log events and therefore can't crash ;-)

libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_1.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1494272099.261:3455): apparmor="DENIED" operation="ptrace" profile="/bin/netstat" pid=1962 comm="netstat" target=""

libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_1.out

@@ -0,0 +1,11 @@
+START
+File: ptrace_garbage_lp1689667_1.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1494272099.261:3455
+Operation: ptrace
+Profile: /bin/netstat
+Command: netstat
+Name2: 
+PID: 1962
+Epoch: 1494272099
+Audit subid: 3455

libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_1.profile

@@ -0,0 +1,2 @@
+/bin/netstat {
+}

libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_2.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1494272099.261:3455): apparmor="DENIED" operation="ptrace" profile="/bin/netstat" pid=1962 comm="netstat" target=8022C0FF81A0FFFF8022C0FF81A0FFFF1080CBFF81A0FFFF1080CBFF81A0FFFF2080CBFF81A0FFFF2080CBFF81A0FFFF9E03

libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_2.out

@@ -0,0 +1,10 @@
+START
+File: ptrace_garbage_lp1689667_2.in
+Event type: AA_RECORD_INVALID
+Audit ID: 1494272099.261:3455
+Operation: ptrace
+Profile: /bin/netstat
+Command: netstat
+PID: 1962
+Epoch: 1494272099
+Audit subid: 3455

utils/apparmor/logparser.py

@@ -338,6 +338,10 @@ class ReadLog:
             return(e['pid'], e['parent'], 'unknown_hat',
                              [profile, hat, aamode, hat])
         elif e['operation'] == 'ptrace':
+            if not e['peer']:
+                self.debug_logger.debug('ignored garbage ptrace event with empty peer')
+                return None
+
             return(e['pid'], e['parent'], 'ptrace',
                              [profile, hat, prog, aamode, e['denied_mask'], e['peer']])
         elif e['operation'] == 'signal':

utils/test/test-libapparmor-test_multi.py

@@ -66,6 +66,8 @@ class TestLibapparmorTestMulti(AATest):
                     pass
                 elif parsed_items['operation'] == 'exec' and label in ['sock_type', 'family', 'protocol']:
                     pass  # XXX 'exec' + network? really?
+                elif parsed_items['operation'] == 'ptrace' and label == 'name2' and params.endswith('/ptrace_garbage_lp1689667_1'):
+                    pass  # libapparmor would better qualify this case as invalid event
                 elif not parsed_items.get(label, None):
                     raise Exception('parsed_items[%s] not set' % label)
                 elif not expected.get(label, None):