From a724c79483727a8c3d7a9e4facc8a44c1a63d0cf Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Wed, 29 Mar 2023 21:35:20 +0200 Subject: [PATCH] Ignore 'x' in mixed file mode log events Probably thanks to O_MAYEXEC, denials for file access can now contain a mix of x (exec) and other file permissions. The actual exec should appear in a separate "exec" log event, therefore ignore 'x' in file events for now if it's mixed with other permissions. Note that file events ("open", "link" etc.) that contain denied_mask="x" without another permission will still cause an error. (So far, this hasn't been seen in the wild.) Fixes: https://gitlab.com/apparmor/apparmor/-/issues/303 Also add the log line from the bugreport and the (for now) expected result as test_multi testcase. --- .../libapparmor/testsuite/test_multi/file_xm.err | 0 .../libapparmor/testsuite/test_multi/file_xm.in | 1 + .../libapparmor/testsuite/test_multi/file_xm.out | 16 ++++++++++++++++ .../testsuite/test_multi/file_xm.profile | 4 ++++ utils/apparmor/logparser.py | 3 +++ 5 files changed, 24 insertions(+) create mode 100644 libraries/libapparmor/testsuite/test_multi/file_xm.err create mode 100644 libraries/libapparmor/testsuite/test_multi/file_xm.in create mode 100644 libraries/libapparmor/testsuite/test_multi/file_xm.out create mode 100644 libraries/libapparmor/testsuite/test_multi/file_xm.profile diff --git a/libraries/libapparmor/testsuite/test_multi/file_xm.err b/libraries/libapparmor/testsuite/test_multi/file_xm.err new file mode 100644 index 000000000..e69de29bb diff --git a/libraries/libapparmor/testsuite/test_multi/file_xm.in b/libraries/libapparmor/testsuite/test_multi/file_xm.in new file mode 100644 index 000000000..4a360019a --- /dev/null +++ b/libraries/libapparmor/testsuite/test_multi/file_xm.in @@ -0,0 +1 @@ +type=AVC msg=audit(1676978994.840:1493): apparmor="DENIED" operation="link" profile="cargo" name="/var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/libbootstrap.rlib" pid=12412 comm="cargo" requested_mask="xm" denied_mask="xm" fsuid=250 ouid=250 target="/var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/deps/libbootstrap-4542dd99e796257e.rlib"FSUID="portage" OUID="portage" diff --git a/libraries/libapparmor/testsuite/test_multi/file_xm.out b/libraries/libapparmor/testsuite/test_multi/file_xm.out new file mode 100644 index 000000000..9b9d1890d --- /dev/null +++ b/libraries/libapparmor/testsuite/test_multi/file_xm.out @@ -0,0 +1,16 @@ +START +File: file_xm.in +Event type: AA_RECORD_DENIED +Audit ID: 1676978994.840:1493 +Operation: link +Mask: xm +Denied Mask: xm +fsuid: 250 +ouid: 250 +Profile: cargo +Name: /var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/libbootstrap.rlib +Command: cargo +Name2: /var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/deps/libbootstrap-4542dd99e796257e.rlib +PID: 12412 +Epoch: 1676978994 +Audit subid: 1493 diff --git a/libraries/libapparmor/testsuite/test_multi/file_xm.profile b/libraries/libapparmor/testsuite/test_multi/file_xm.profile new file mode 100644 index 000000000..3ad0162e9 --- /dev/null +++ b/libraries/libapparmor/testsuite/test_multi/file_xm.profile @@ -0,0 +1,4 @@ +profile cargo { + owner /var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/libbootstrap.rlib m, + +} diff --git a/utils/apparmor/logparser.py b/utils/apparmor/logparser.py index f224e8ec0..4825682ed 100644 --- a/utils/apparmor/logparser.py +++ b/utils/apparmor/logparser.py @@ -219,6 +219,9 @@ class ReadLog: # in current log style, owner permissions are indicated by a match of fsuid and ouid owner = True + if 'x' in dmask and dmask != 'x': + dmask = dmask.replace('x', '') # if dmask contains x and another mode, drop x here - we should see a separate exec event + for perm in dmask: if perm in 'mrwalk': # intentionally not allowing 'x' here self.hashlog[aamode][full_profile]['path'][e['name']][owner][perm] = True