Ignore 'x' in mixed file mode log events

Probably thanks to O_MAYEXEC, denials for file access can now contain a mix of x (exec) and other file permissions. The actual exec should appear in a separate "exec" log event, therefore ignore 'x' in file events for now if it's mixed with other permissions. Note that file events ("open", "link" etc.) that contain denied_mask="x" without another permission will still cause an error. (So far, this hasn't been seen in the wild.) Fixes: https://gitlab.com/apparmor/apparmor/-/issues/303 Also add the log line from the bugreport and the (for now) expected result as test_multi testcase.
2025-08-22 01:57:43 +00:00 · 2023-03-29 21:35:20 +02:00 · 2023-03-29 21:35:20 +02:00 · a724c79483
commit a724c79483
parent c1a1a3a923
5 changed files with 24 additions and 0 deletions
--- a/libraries/libapparmor/testsuite/test_multi/file_xm.err
+++ b/libraries/libapparmor/testsuite/test_multi/file_xm.err
--- a/libraries/libapparmor/testsuite/test_multi/file_xm.in
+++ b/libraries/libapparmor/testsuite/test_multi/file_xm.in
@ -0,0 +1 @@
+type=AVC msg=audit(1676978994.840:1493): apparmor="DENIED" operation="link" profile="cargo" name="/var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/libbootstrap.rlib" pid=12412 comm="cargo" requested_mask="xm" denied_mask="xm" fsuid=250 ouid=250 target="/var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/deps/libbootstrap-4542dd99e796257e.rlib"FSUID="portage" OUID="portage"
--- a/libraries/libapparmor/testsuite/test_multi/file_xm.out
+++ b/libraries/libapparmor/testsuite/test_multi/file_xm.out
@ -0,0 +1,16 @@
+START
+File: file_xm.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1676978994.840:1493
+Operation: link
+Mask: xm
+Denied Mask: xm
+fsuid: 250
+ouid: 250
+Profile: cargo
+Name: /var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/libbootstrap.rlib
+Command: cargo
+Name2: /var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/deps/libbootstrap-4542dd99e796257e.rlib
+PID: 12412
+Epoch: 1676978994
+Audit subid: 1493
--- a/libraries/libapparmor/testsuite/test_multi/file_xm.profile
+++ b/libraries/libapparmor/testsuite/test_multi/file_xm.profile
@ -0,0 +1,4 @@
+profile cargo {
+  owner /var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/libbootstrap.rlib m,
+
+}
--- a/utils/apparmor/logparser.py
+++ b/utils/apparmor/logparser.py
@ -219,6 +219,9 @@ class ReadLog:
                # in current log style, owner permissions are indicated by a match of fsuid and ouid
                owner = True

+            if 'x' in dmask and dmask != 'x':
+                dmask = dmask.replace('x', '')  # if dmask contains x and another mode, drop x here - we should see a separate exec event
+
            for perm in dmask:
                if perm in 'mrwalk':  # intentionally not allowing 'x' here
                    self.hashlog[aamode][full_profile]['path'][e['name']][owner][perm] = True
				`@ -0,0 +1 @@`
				`type=AVC msg=audit(1676978994.840:1493): apparmor="DENIED" operation="link" profile="cargo" name="/var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/libbootstrap.rlib" pid=12412 comm="cargo" requested_mask="xm" denied_mask="xm" fsuid=250 ouid=250 target="/var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/deps/libbootstrap-4542dd99e796257e.rlib"FSUID="portage" OUID="portage"`