Merge branch 'cboltz-exec-without-target' into 'master'

logparser.py: don't error out on exec events without target

See merge request apparmor/apparmor!405

Acked-by: John Johansen <john.johansen@canonical.com>

libraries/libapparmor/testsuite/test_multi/exec01.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1556742889.059:3686): apparmor="ALLOWED" operation="exec" profile="/home/cb/bin/hello.sh" name="/usr/bin/rm" pid=13108 comm="hello.sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/home/cb/bin/hello.sh//null-/usr/bin/rm"

libraries/libapparmor/testsuite/test_multi/exec01.out

@@ -0,0 +1,16 @@
+START
+File: exec01.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1556742889.059:3686
+Operation: exec
+Mask: x
+Denied Mask: x
+fsuid: 1000
+ouid: 0
+Profile: /home/cb/bin/hello.sh
+Name: /usr/bin/rm
+Command: hello.sh
+Name2: /home/cb/bin/hello.sh//null-/usr/bin/rm
+PID: 13108
+Epoch: 1556742889
+Audit subid: 3686

libraries/libapparmor/testsuite/test_multi/exec01.profile

@@ -0,0 +1,2 @@
+/home/cb/bin/hello.sh {
+}

libraries/libapparmor/testsuite/test_multi/exec02.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1564250674.378:1307): apparmor="DENIED" operation="exec" profile="/usr/bin/wireshark" name="/usr/lib64/wireshark/extcap/androiddump" pid=23247 comm="pool" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

libraries/libapparmor/testsuite/test_multi/exec02.out

@@ -0,0 +1,15 @@
+START
+File: exec02.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1564250674.378:1307
+Operation: exec
+Mask: x
+Denied Mask: x
+fsuid: 1000
+ouid: 0
+Profile: /usr/bin/wireshark
+Name: /usr/lib64/wireshark/extcap/androiddump
+Command: pool
+PID: 23247
+Epoch: 1564250674
+Audit subid: 1307

libraries/libapparmor/testsuite/test_multi/exec02.profile

@@ -0,0 +1,2 @@
+/usr/bin/wireshark {
+}

utils/apparmor/aa.py

@@ -1099,7 +1099,8 @@ def ask_exec(hashlog):
                             if ans == 'CMD_DENY':
                                 aa[profile][hat]['file'].add(FileRule(exec_target, None, 'x', FileRule.ALL, owner=False, log_event=True, deny=True))
                                 changed[profile] = True
-                                hashlog[aamode][target_profile]['final_name'] = ''
+                                if target_profile:
+                                    hashlog[aamode][target_profile]['final_name'] = ''
                                 # Skip remaining events if they ask to deny exec
                                 continue
 
@@ -1128,13 +1129,15 @@ def ask_exec(hashlog):
                     # Update tracking info based on kind of change
 
                     if ans == 'CMD_ix':
-                        hashlog[aamode][target_profile]['final_name'] = profile
+                        if target_profile:
+                            hashlog[aamode][target_profile]['final_name'] = profile
 
                     elif re.search('^CMD_(px|nx|pix|nix)', ans):
                         if to_name:
                             exec_target = to_name
 
-                        hashlog[aamode][target_profile]['final_name'] = exec_target
+                        if target_profile:
+                            hashlog[aamode][target_profile]['final_name'] = exec_target
 
                         # Check profile exists for px
                         if not os.path.exists(get_profile_filename_from_attachment(exec_target, True)):
@@ -1149,7 +1152,8 @@ def ask_exec(hashlog):
                                     autodep(exec_target, '')
                                 reload_base(exec_target)
                             else:
-                                hashlog[aamode][target_profile]['final_name'] = profile  # not creating the target profile effectively results in ix mode
+                                if target_profile:
+                                    hashlog[aamode][target_profile]['final_name'] = profile  # not creating the target profile effectively results in ix mode
 
                     elif ans.startswith('CMD_cx') or ans.startswith('CMD_cix'):
                         if to_name:
@@ -1174,10 +1178,12 @@ def ask_exec(hashlog):
                                 file_name = aa[profile][profile]['filename']
                                 filelist[file_name]['profiles'][profile][exec_target] = True
 
-                                hashlog[aamode][target_profile]['final_name'] = '%s//%s' % (profile, exec_target)
+                                if target_profile:
+                                    hashlog[aamode][target_profile]['final_name'] = '%s//%s' % (profile, exec_target)
 
                             else:
-                                hashlog[aamode][target_profile]['final_name'] = profile  # not creating the target profile effectively results in ix mode
+                                if target_profile:
+                                    hashlog[aamode][target_profile]['final_name'] = profile  # not creating the target profile effectively results in ix mode
 
                     elif ans.startswith('CMD_ux'):
                         continue

utils/apparmor/logparser.py

@@ -192,7 +192,7 @@ class ReadLog:
                 raise AppArmorException('exec without executed binary')
 
             if not e['name2']:
-                raise AppArmorException('exec without target profile')
+                e['name2'] = ''  # exec events in enforce mode don't have target=...
 
             self.hashlog[aamode][full_profile]['exec'][e['name']][e['name2']] = True
             return None