mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-30 22:05:27 +00:00
utils: ignore peer when parsing logs for non-peer access modes
Some access modes (create, setopt, getopt, bind, shutdown, listen, getattr, setattr) cannot be used with a peer in network rules. Due to how auditing is implemented in the kernel, the peer information might be available in the log (as faddr= but not daddr=), which causes a failure in log parsing. When parsing the log, check if that's the case and ignore the peer, avoiding the exception on the NetworkRule constructor. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/427 Reported-by: Evan Caville <evan.caville@canonical.com> Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
This commit is contained in:
@@ -75,6 +75,8 @@ RE_NETWORK_DETAILS = re.compile(
|
|||||||
+ '(' + RE_PEER_EXPR + r')?\s*'
|
+ '(' + RE_PEER_EXPR + r')?\s*'
|
||||||
+ r'$')
|
+ r'$')
|
||||||
|
|
||||||
|
non_peer_accesses = {'create', 'bind', 'listen', 'shutdown', 'getattr', 'setattr', 'getopt', 'setopt'}
|
||||||
|
|
||||||
|
|
||||||
class NetworkRule(BaseRule):
|
class NetworkRule(BaseRule):
|
||||||
"""Class to handle and store a single network rule"""
|
"""Class to handle and store a single network rule"""
|
||||||
@@ -121,8 +123,8 @@ class NetworkRule(BaseRule):
|
|||||||
if self.peer_expr != self.ALL and 'ip' in self.peer_expr and not is_valid_ip(self.peer_expr['ip']):
|
if self.peer_expr != self.ALL and 'ip' in self.peer_expr and not is_valid_ip(self.peer_expr['ip']):
|
||||||
raise AppArmorException(f'Invalid ip: {self.peer_expr["ip"]}')
|
raise AppArmorException(f'Invalid ip: {self.peer_expr["ip"]}')
|
||||||
|
|
||||||
if not self.all_accesses and self.peer_expr != self.ALL and self.accesses & {'create', 'bind', 'listen', 'shutdown', 'getattr', 'setattr', 'getopt', 'setopt'}:
|
if not self.all_accesses and self.peer_expr != self.ALL and self.accesses & non_peer_accesses:
|
||||||
raise AppArmorException('Cannot use a peer_expr and an access in {create, bind, listen, shutdown, getattr, setattr, getopt, setopt} simultaneously')
|
raise AppArmorException('Cannot use a peer_expr and an access in the set (%s) simultaneously' % ', '.join(non_peer_accesses))
|
||||||
|
|
||||||
self.domain = None
|
self.domain = None
|
||||||
self.all_domains = False
|
self.all_domains = False
|
||||||
@@ -300,6 +302,8 @@ class NetworkRule(BaseRule):
|
|||||||
@classmethod
|
@classmethod
|
||||||
def from_hashlog(cls, hl):
|
def from_hashlog(cls, hl):
|
||||||
for access, family, sock_type, protocol, local_event, peer_event in BaseRule.generate_rules_from_hashlog(hl, 6):
|
for access, family, sock_type, protocol, local_event, peer_event in BaseRule.generate_rules_from_hashlog(hl, 6):
|
||||||
|
if access and set(access.split()) & non_peer_accesses:
|
||||||
|
peer_event = (None, None)
|
||||||
yield cls(access, family, sock_type, local_event, peer_event, log_event=True)
|
yield cls(access, family, sock_type, local_event, peer_event, log_event=True)
|
||||||
|
|
||||||
|
|
||||||
|
Reference in New Issue
Block a user