mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 10:07:12 +00:00
Code Issues Releases Wiki Activity

utils: add logparser support for mqueue

Browse Source 
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
This commit is contained in:
Georgia Garcia 2022-04-05 22:00:01 +00:00
parent 6e74b7957b
commit 8e7b6fd583
34 changed files with 183 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_01.err Normal file
View File

1
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_01.in Normal file
View File

@ -0,0 +1 @@
Apr 05 19:36:19 ubuntu kernel: audit: type=1400 audit(1649187379.660:255): apparmor="DENIED" operation="create" profile="/root/apparmor/tests/regression/apparmor/posix_mq_rcv" name="/queuename" pid=791 comm="posix_mq_rcv" requested="create" denied="create" class="posix_mqueue" fsuid=0 ouid=0

16
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_01.out Normal file
View File

@ -0,0 +1,16 @@
START
File: testcase_mqueue_01.in
Event type: AA_RECORD_DENIED
Audit ID: 1649187379.660:255
Operation: create
Mask: create
Denied Mask: create
fsuid: 0
ouid: 0
Profile: /root/apparmor/tests/regression/apparmor/posix_mq_rcv
Name: /queuename
Command: posix_mq_rcv
PID: 791
Class: posix_mqueue
Epoch: 1649187379
Audit subid: 255

4
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_01.profile Normal file
View File

@ -0,0 +1,4 @@
/root/apparmor/tests/regression/apparmor/posix_mq_rcv {
mqueue create type=posix /queuename,
}

0
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_02.err Normal file
View File

2
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_02.in Normal file
View File

@ -0,0 +1,2 @@
Apr 05 19:36:29 ubuntu kernel: audit: type=1400 audit(1649187389.828:262): apparmor="DENIED" operation="open" profile="/root/apparmor/tests/regression/apparmor/posix_mq_rcv" name="/queuename" pid=848 comm="posix_mq_rcv" requested="read create" denied="read" class="posix_mqueue" fsuid=0 ouid=0

16
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_02.out Normal file
View File

@ -0,0 +1,16 @@
START
File: testcase_mqueue_02.in
Event type: AA_RECORD_DENIED
Audit ID: 1649187389.828:262
Operation: open
Mask: read create
Denied Mask: read
fsuid: 0
ouid: 0
Profile: /root/apparmor/tests/regression/apparmor/posix_mq_rcv
Name: /queuename
Command: posix_mq_rcv
PID: 848
Class: posix_mqueue
Epoch: 1649187389
Audit subid: 262

4
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_02.profile Normal file
View File

@ -0,0 +1,4 @@
/root/apparmor/tests/regression/apparmor/posix_mq_rcv {
mqueue read type=posix /queuename,
}

0
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_03.err Normal file
View File

1
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_03.in Normal file
View File

@ -0,0 +1 @@
Apr 05 19:36:39 ubuntu kernel: audit: type=1400 audit(1649187399.973:265): apparmor="DENIED" operation="unlink" profile="/root/apparmor/tests/regression/apparmor/posix_mq_rcv" name="/queuename" pid=897 comm="posix_mq_rcv" requested="delete" denied="delete" class="posix_mqueue" fsuid=0 ouid=0

16
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_03.out Normal file
View File

@ -0,0 +1,16 @@
START
File: testcase_mqueue_03.in
Event type: AA_RECORD_DENIED
Audit ID: 1649187399.973:265
Operation: unlink
Mask: delete
Denied Mask: delete
fsuid: 0
ouid: 0
Profile: /root/apparmor/tests/regression/apparmor/posix_mq_rcv
Name: /queuename
Command: posix_mq_rcv
PID: 897
Class: posix_mqueue
Epoch: 1649187399
Audit subid: 265

4
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_03.profile Normal file
View File

@ -0,0 +1,4 @@
/root/apparmor/tests/regression/apparmor/posix_mq_rcv {
mqueue delete type=posix /queuename,
}

0
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_04.err Normal file
View File

1
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_04.in Normal file
View File

@ -0,0 +1 @@
Jun 02 16:58:20 ubuntu kernel: audit: type=1400 audit(1654189100.680:1011): apparmor="DENIED" operation="sysv_mqueue" profile="/root/apparmor/tests/regression/apparmor/sysv_mq_rcv" name="123" pid=13574 comm="sysv_mq_rcv" requested="create" denied="create" class="sysv_mqueue" fsuid=0 ouid=0

16
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_04.out Normal file
View File

@ -0,0 +1,16 @@
START
File: testcase_mqueue_04.in
Event type: AA_RECORD_DENIED
Audit ID: 1654189100.680:1011
Operation: sysv_mqueue
Mask: create
Denied Mask: create
fsuid: 0
ouid: 0
Profile: /root/apparmor/tests/regression/apparmor/sysv_mq_rcv
Name: 123
Command: sysv_mq_rcv
PID: 13574
Class: sysv_mqueue
Epoch: 1654189100
Audit subid: 1011

4
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_04.profile Normal file
View File

@ -0,0 +1,4 @@
/root/apparmor/tests/regression/apparmor/sysv_mq_rcv {
mqueue create type=sysv 123,
}

0
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_05.err Normal file
View File

1
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_05.in Normal file
View File

@ -0,0 +1 @@
Jun 02 17:15:45 ubuntu kernel: audit: type=1400 audit(1654190145.439:1135): apparmor="DENIED" operation="sysv_mqueue" profile="/root/apparmor/tests/regression/apparmor/sysv_mq_snd" name="123" pid=15849 comm="sysv_mq_snd" requested="open" denied="open" class="sysv_mqueue"

14
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_05.out Normal file
View File

@ -0,0 +1,14 @@
START
File: testcase_mqueue_05.in
Event type: AA_RECORD_DENIED
Audit ID: 1654190145.439:1135
Operation: sysv_mqueue
Mask: open
Denied Mask: open
Profile: /root/apparmor/tests/regression/apparmor/sysv_mq_snd
Name: 123
Command: sysv_mq_snd
PID: 15849
Class: sysv_mqueue
Epoch: 1654190145
Audit subid: 1135

4
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_05.profile Normal file
View File

@ -0,0 +1,4 @@
/root/apparmor/tests/regression/apparmor/sysv_mq_snd {
mqueue open type=sysv 123,
}

0
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_06.err Normal file
View File

1
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_06.in Normal file
View File

@ -0,0 +1 @@
Jun 02 17:15:37 ubuntu kernel: audit: type=1400 audit(1654190137.559:1122): apparmor="DENIED" operation="sysv_mqueue" profile="/root/apparmor/tests/regression/apparmor/sysv_mq_rcv" name="123" pid=15632 comm="sysv_mq_rcv" requested="read" denied="read" class="sysv_mqueue" fsuid=0 ouid=0

16
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_06.out Normal file
View File

@ -0,0 +1,16 @@
START
File: testcase_mqueue_06.in
Event type: AA_RECORD_DENIED
Audit ID: 1654190137.559:1122
Operation: sysv_mqueue
Mask: read
Denied Mask: read
fsuid: 0
ouid: 0
Profile: /root/apparmor/tests/regression/apparmor/sysv_mq_rcv
Name: 123
Command: sysv_mq_rcv
PID: 15632
Class: sysv_mqueue
Epoch: 1654190137
Audit subid: 1122

4
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_06.profile Normal file
View File

@ -0,0 +1,4 @@
/root/apparmor/tests/regression/apparmor/sysv_mq_rcv {
mqueue read type=sysv 123,
}

0
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_07.err Normal file
View File

1
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_07.in Normal file
View File

@ -0,0 +1 @@
Jun 02 17:15:51 ubuntu kernel: audit: type=1400 audit(1654190151.003:1145): apparmor="DENIED" operation="sysv_mqueue" profile="/root/apparmor/tests/regression/apparmor/sysv_mq_rcv" name="123" pid=15973 comm="sysv_mq_rcv" requested="delete" denied="delete" class="sysv_mqueue" fsuid=1001 ouid=1001

16
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_07.out Normal file
View File

@ -0,0 +1,16 @@
START
File: testcase_mqueue_07.in
Event type: AA_RECORD_DENIED
Audit ID: 1654190151.003:1145
Operation: sysv_mqueue
Mask: delete
Denied Mask: delete
fsuid: 1001
ouid: 1001
Profile: /root/apparmor/tests/regression/apparmor/sysv_mq_rcv
Name: 123
Command: sysv_mq_rcv
PID: 15973
Class: sysv_mqueue
Epoch: 1654190151
Audit subid: 1145

4
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_07.profile Normal file
View File

@ -0,0 +1,4 @@
/root/apparmor/tests/regression/apparmor/sysv_mq_rcv {
mqueue delete type=sysv 123,
}

0
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_08.err Normal file
View File

1
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_08.in Normal file
View File

@ -0,0 +1 @@
Jun 02 17:15:55 ubuntu kernel: audit: type=1400 audit(1654190155.699:1155): apparmor="DENIED" operation="sysv_mqueue" profile="/root/apparmor/tests/regression/apparmor/sysv_mq_snd" name="123" pid=16148 comm="sysv_mq_snd" requested="write" denied="write" class="sysv_mqueue" fsuid=1001 ouid=1001

16
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_08.out Normal file
View File

@ -0,0 +1,16 @@
START
File: testcase_mqueue_08.in
Event type: AA_RECORD_DENIED
Audit ID: 1654190155.699:1155
Operation: sysv_mqueue
Mask: write
Denied Mask: write
fsuid: 1001
ouid: 1001
Profile: /root/apparmor/tests/regression/apparmor/sysv_mq_snd
Name: 123
Command: sysv_mq_snd
PID: 16148
Class: sysv_mqueue
Epoch: 1654190155
Audit subid: 1155

4
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_08.profile Normal file
View File

@ -0,0 +1,4 @@
/root/apparmor/tests/regression/apparmor/sysv_mq_snd {
mqueue write type=sysv 123,
}

9
utils/apparmor/aa.py
View File

@ -51,6 +51,7 @@ from apparmor.rule.network import NetworkRule
from apparmor.rule.ptrace import PtraceRule from apparmor.rule.ptrace import PtraceRule
from apparmor.rule.signal import SignalRule from apparmor.rule.signal import SignalRule
from apparmor.rule.userns import UserNamespaceRule from apparmor.rule.userns import UserNamespaceRule
from apparmor.rule.mqueue import MessageQueueRule
from apparmor.translations import init_translation from apparmor.translations import init_translation
_ = init_translation() _ = init_translation()
@ -1728,6 +1729,14 @@ def collapse_log(hashlog, ignore_null_profiles=True):
if not hat_exists or not is_known_rule(aa[profile][hat], 'userns', userns_event): if not hat_exists or not is_known_rule(aa[profile][hat], 'userns', userns_event):
log_dict[aamode][full_profile]['userns'].add(userns_event) log_dict[aamode][full_profile]['userns'].add(userns_event)
mqueue = hashlog[aamode][full_profile]['mqueue']
for access in mqueue.keys():
for mqueue_type in mqueue[access]:
for mqueue_name in mqueue[access][mqueue_type]:
mqueue_event = MessageQueueRule(access, mqueue_type, MessageQueueRule.ALL, mqueue_name, log_event=True)
if not hat_exists or not is_known_rule(aa[profile][hat], 'mqueue', mqueue_event):
log_dict[aamode][full_profile]['mqueue'].add(mqueue_event)
return log_dict return log_dict

8
utils/apparmor/logparser.py
View File

@ -58,6 +58,7 @@ class ReadLog:
'ptrace': hasher(), 'ptrace': hasher(),
'signal': hasher(), 'signal': hasher(),
'userns': hasher(), 'userns': hasher(),
'mqueue': hasher(),
} }
def prefetch_next_log_entry(self): def prefetch_next_log_entry(self):
@ -188,7 +189,12 @@ class ReadLog:
elif e['class'] and e['class'] == 'namespace': elif e['class'] and e['class'] == 'namespace':
if e['denied_mask'].startswith('userns'): if e['denied_mask'].startswith('userns'):
self.hashlog[aamode][full_profile]['userns'][e['denied_mask'].removeprefix('userns_')] = True self.hashlog[aamode][full_profile]['userns'][e['denied_mask'].removeprefix('userns_')] = True
return None return
elif e['class'] and e['class'].endswith('mqueue'):
mqueue_type = e['class'].partition('_')[0]
self.hashlog[aamode][full_profile]['mqueue'][e['denied_mask']][mqueue_type][e['name']] = True
return
elif self.op_type(e) == 'file': elif self.op_type(e) == 'file':
# Map c (create) and d (delete) to w (logging is more detailed than the profile language) # Map c (create) and d (delete) to w (logging is more detailed than the profile language)