From 98bf187323b2f7ea265cf53b10f45513d9a955a4 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Sun, 2 Aug 2020 19:49:18 +0200 Subject: [PATCH] Handle `symlink` log events in aa-logprof Nobody told the tools that log events with operation="symlink" exist. Add this keyword to the list of file or network operations (I don't expect network symlinks ;-) but keeping everything in that list makes things easier than special-casing it.) Also add the log sample and expected result to the libapparmor tests. Fixes https://gitlab.com/apparmor/apparmor/-/issues/107 --- .../libapparmor/testsuite/test_multi/symlink.err | 0 .../libapparmor/testsuite/test_multi/symlink.in | 1 + .../libapparmor/testsuite/test_multi/symlink.out | 15 +++++++++++++++ .../testsuite/test_multi/symlink.profile | 4 ++++ utils/apparmor/logparser.py | 1 + 5 files changed, 21 insertions(+) create mode 100644 libraries/libapparmor/testsuite/test_multi/symlink.err create mode 100644 libraries/libapparmor/testsuite/test_multi/symlink.in create mode 100644 libraries/libapparmor/testsuite/test_multi/symlink.out create mode 100644 libraries/libapparmor/testsuite/test_multi/symlink.profile diff --git a/libraries/libapparmor/testsuite/test_multi/symlink.err b/libraries/libapparmor/testsuite/test_multi/symlink.err new file mode 100644 index 000000000..e69de29bb diff --git a/libraries/libapparmor/testsuite/test_multi/symlink.in b/libraries/libapparmor/testsuite/test_multi/symlink.in new file mode 100644 index 000000000..b659ce765 --- /dev/null +++ b/libraries/libapparmor/testsuite/test_multi/symlink.in @@ -0,0 +1 @@ +Aug 3 00:00:41 liuchao-virtual-machine kernel: [ 4362.615262] audit: type=1400 audit(1596384041.705:290): apparmor="DENIED" operation="symlink" profile="/home/test.sh" name="/home/b.c" pid=8016 comm="ln" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 diff --git a/libraries/libapparmor/testsuite/test_multi/symlink.out b/libraries/libapparmor/testsuite/test_multi/symlink.out new file mode 100644 index 000000000..d25ae6ee3 --- /dev/null +++ b/libraries/libapparmor/testsuite/test_multi/symlink.out @@ -0,0 +1,15 @@ +START +File: symlink.in +Event type: AA_RECORD_DENIED +Audit ID: 1596384041.705:290 +Operation: symlink +Mask: c +Denied Mask: c +fsuid: 0 +ouid: 0 +Profile: /home/test.sh +Name: /home/b.c +Command: ln +PID: 8016 +Epoch: 1596384041 +Audit subid: 290 diff --git a/libraries/libapparmor/testsuite/test_multi/symlink.profile b/libraries/libapparmor/testsuite/test_multi/symlink.profile new file mode 100644 index 000000000..8689f3b35 --- /dev/null +++ b/libraries/libapparmor/testsuite/test_multi/symlink.profile @@ -0,0 +1,4 @@ +/home/test.sh { + owner /home/b.c w, + +} diff --git a/utils/apparmor/logparser.py b/utils/apparmor/logparser.py index a5a78ae2f..041dff4f7 100644 --- a/utils/apparmor/logparser.py +++ b/utils/apparmor/logparser.py @@ -319,6 +319,7 @@ class ReadLog: 'rename_dest', 'unlink', 'rmdir', + 'symlink', 'symlink_create', 'link', 'sysctl',