mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 10:07:12 +00:00
Code Issues Releases Wiki Activity

Ignore 'x' in mixed file mode log events

Browse Source 
Probably thanks to O_MAYEXEC, denials for file access can now contain a
mix of x (exec) and other file permissions.

The actual exec should appear in a separate "exec" log event, therefore
ignore 'x' in file events for now if it's mixed with other permissions.

Note that file events ("open", "link" etc.) that contain denied_mask="x"
without another permission will still cause an error. (So far, this
hasn't been seen in the wild.)

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/303

Also add the log line from the bugreport and the (for now) expected
result as test_multi testcase.
This commit is contained in:
Christian Boltz 2023-03-29 21:35:20 +02:00
parent c1a1a3a923
commit a724c79483
No known key found for this signature in database
GPG Key ID: C6A682EA63C82F1C
5 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
libraries/libapparmor/testsuite/test_multi/file_xm.err Normal file
View File

1
libraries/libapparmor/testsuite/test_multi/file_xm.in Normal file
View File

@ -0,0 +1 @@
type=AVC msg=audit(1676978994.840:1493): apparmor="DENIED" operation="link" profile="cargo" name="/var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/libbootstrap.rlib" pid=12412 comm="cargo" requested_mask="xm" denied_mask="xm" fsuid=250 ouid=250 target="/var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/deps/libbootstrap-4542dd99e796257e.rlib"FSUID="portage" OUID="portage"

16
libraries/libapparmor/testsuite/test_multi/file_xm.out Normal file
View File

@ -0,0 +1,16 @@
START
File: file_xm.in
Event type: AA_RECORD_DENIED
Audit ID: 1676978994.840:1493
Operation: link
Mask: xm
Denied Mask: xm
fsuid: 250
ouid: 250
Profile: cargo
Name: /var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/libbootstrap.rlib
Command: cargo
Name2: /var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/deps/libbootstrap-4542dd99e796257e.rlib
PID: 12412
Epoch: 1676978994
Audit subid: 1493

4
libraries/libapparmor/testsuite/test_multi/file_xm.profile Normal file
View File

@ -0,0 +1,4 @@
profile cargo {
owner /var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/libbootstrap.rlib m,
}

3
utils/apparmor/logparser.py
View File

@ -219,6 +219,9 @@ class ReadLog:
# in current log style, owner permissions are indicated by a match of fsuid and ouid # in current log style, owner permissions are indicated by a match of fsuid and ouid
owner = True owner = True
if 'x' in dmask and dmask != 'x':
dmask = dmask.replace('x', '') # if dmask contains x and another mode, drop x here - we should see a separate exec event
for perm in dmask: for perm in dmask:
if perm in 'mrwalk': # intentionally not allowing 'x' here if perm in 'mrwalk': # intentionally not allowing 'x' here
self.hashlog[aamode][full_profile]['path'][e['name']][owner][perm] = True self.hashlog[aamode][full_profile]['path'][e['name']][owner][perm] = True