From 37f5326d0e7eb661376e979a3fd137584e432415 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Mon, 13 Sep 2021 23:02:15 +0000 Subject: [PATCH] Merge Avoid aa-notify crash on log events without operation= Some STATUS log events trigger a crash in aa-notify because the log line doesn't have operation=. Examples are: type=AVC msg=audit(1630913351.586:4): apparmor="STATUS" info="AppArmor Filesystem Enabled" pid=1 comm="swapper/0" type=AVC msg=audit(1630913352.610:6): apparmor="STATUS" info="AppArmor sha1 policy hashing enabled" pid=1 comm="swapper/0" Fix this by not looking at log events without operation= Also add one of the example events as libapparmor testcase. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/194 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/797 Acked-by: John Johansen (cherry picked from commit c37586cd11dbdc320094a5d219d86edef2b0e194) Signed-off-by: John Johansen --- .../testsuite/test_multi/status-filesystem-enabled.err | 0 .../testsuite/test_multi/status-filesystem-enabled.in | 1 + .../testsuite/test_multi/status-filesystem-enabled.out | 3 +++ utils/aa-notify | 2 +- 4 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 libraries/libapparmor/testsuite/test_multi/status-filesystem-enabled.err create mode 100644 libraries/libapparmor/testsuite/test_multi/status-filesystem-enabled.in create mode 100644 libraries/libapparmor/testsuite/test_multi/status-filesystem-enabled.out diff --git a/libraries/libapparmor/testsuite/test_multi/status-filesystem-enabled.err b/libraries/libapparmor/testsuite/test_multi/status-filesystem-enabled.err new file mode 100644 index 000000000..e69de29bb diff --git a/libraries/libapparmor/testsuite/test_multi/status-filesystem-enabled.in b/libraries/libapparmor/testsuite/test_multi/status-filesystem-enabled.in new file mode 100644 index 000000000..6a5cbdd90 --- /dev/null +++ b/libraries/libapparmor/testsuite/test_multi/status-filesystem-enabled.in @@ -0,0 +1 @@ +audit.log:type=AVC msg=audit(1630913351.586:4): apparmor="STATUS" info="AppArmor Filesystem Enabled" pid=1 comm="swapper/0" diff --git a/libraries/libapparmor/testsuite/test_multi/status-filesystem-enabled.out b/libraries/libapparmor/testsuite/test_multi/status-filesystem-enabled.out new file mode 100644 index 000000000..7bce27747 --- /dev/null +++ b/libraries/libapparmor/testsuite/test_multi/status-filesystem-enabled.out @@ -0,0 +1,3 @@ +START +File: status-filesystem-enabled.in +Event type: AA_RECORD_INVALID diff --git a/utils/aa-notify b/utils/aa-notify index 5e5a32578..6cb7c393f 100755 --- a/utils/aa-notify +++ b/utils/aa-notify @@ -324,7 +324,7 @@ def parse_logdata(logsource): event = LibAppArmor.parse_record(entry) # Only show actual events of contained programs and ignore among # others AppArmor profile reloads - if event.operation[0:8] != 'profile_': + if event.operation and event.operation[0:8] != 'profile_': yield event