mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-30 05:47:59 +00:00
Code Issues Releases Wiki Activity

utils: ignore peer when parsing logs for non-peer access modes

Browse Source 
Some access modes (create, setopt, getopt, bind, shutdown, listen,
getattr, setattr) cannot be used with a peer in network rules.

Due to how auditing is implemented in the kernel, the peer information
might be available in the log (as faddr= but not daddr=), which causes
a failure in log parsing.

When parsing the log, check if that's the case and ignore the peer,
avoiding the exception on the NetworkRule constructor.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/427
Reported-by: Evan Caville <evan.caville@canonical.com>
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
This commit is contained in:
Georgia Garcia 2024-08-28 17:11:10 -03:00
parent 74f254212a
commit 7562c48c74
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
utils/apparmor/rule/network.py
View File

@ -75,6 +75,8 @@ RE_NETWORK_DETAILS = re.compile(
+ '(' + RE_PEER_EXPR + r')?\s*'
+ r'$')
non_peer_accesses = {'create', 'bind', 'listen', 'shutdown', 'getattr', 'setattr', 'getopt', 'setopt'}
class NetworkRule(BaseRule):
"""Class to handle and store a single network rule"""
@ -121,8 +123,8 @@ class NetworkRule(BaseRule):
if self.peer_expr != self.ALL and 'ip' in self.peer_expr and not is_valid_ip(self.peer_expr['ip']):
raise AppArmorException(f'Invalid ip: {self.peer_expr["ip"]}')
if not self.all_accesses and self.peer_expr != self.ALL and self.accesses & {'create', 'bind', 'listen', 'shutdown', 'getattr', 'setattr', 'getopt', 'setopt'}:
raise AppArmorException('Cannot use a peer_expr and an access in {create, bind, listen, shutdown, getattr, setattr, getopt, setopt} simultaneously')
if not self.all_accesses and self.peer_expr != self.ALL and self.accesses & non_peer_accesses:
raise AppArmorException('Cannot use a peer_expr and an access in the set (%s) simultaneously' % ', '.join(non_peer_accesses))
self.domain = None
self.all_domains = False
@ -300,6 +302,8 @@ class NetworkRule(BaseRule):
@classmethod
def from_hashlog(cls, hl):
for access, family, sock_type, protocol, local_event, peer_event in BaseRule.generate_rules_from_hashlog(hl, 6):
if access and set(access.split()) & non_peer_accesses:
peer_event = (None, None)
yield cls(access, family, sock_type, local_event, peer_event, log_event=True)