mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 10:07:12 +00:00
Code Issues Releases Wiki Activity

utils: look for 'file' class when parsing logs

Browse Source 
Since kernel commit 8c4b785a86be the class is available to check if
the log belongs to which class. This fixes cases where the logparser
is not able to distinguish between network and file operations.

This issue does not manifest previous to and including apparmor-4.0
because we did not process auditing logs then.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/478
Reported-by: vyomydv vyom.yadav@canonical.com
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
This commit is contained in:
Georgia Garcia 2025-01-27 09:52:59 -03:00
parent c81eacacac
commit af6dfe5b81
5 changed files with 22 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
libraries/libapparmor/testsuite/test_multi/testcase36.err Normal file
View File

1
libraries/libapparmor/testsuite/test_multi/testcase36.in Normal file
View File

@ -0,0 +1 @@
2025-01-27T13:01:36.226987+05:30 sec-plucky-amd64 kernel: audit: type=1400 audit(1737963096.225:3240): apparmor="AUDIT" operation="getattr" class="file" profile="/usr/sbin/mosquitto" name="/etc/mosquitto/pwfile" pid=8119 comm="mosquitto" requested_mask="r" fsuid=122 ouid=122

15
libraries/libapparmor/testsuite/test_multi/testcase36.out Normal file
View File

@ -0,0 +1,15 @@
START
File: testcase36.in
Event type: AA_RECORD_AUDIT
Audit ID: 1737963096.225:3240
Operation: getattr
Mask: r
fsuid: 122
ouid: 122
Profile: /usr/sbin/mosquitto
Name: /etc/mosquitto/pwfile
Command: mosquitto
PID: 8119
Class: file
Epoch: 1737963096
Audit subid: 3240

4
libraries/libapparmor/testsuite/test_multi/testcase36.profile Normal file
View File

@ -0,0 +1,4 @@
/usr/sbin/mosquitto {
/etc/mosquitto/pwfile r,
}

4
utils/apparmor/logparser.py
View File

@ -131,7 +131,7 @@ class ReadLog:
return 'pivot_root'
elif e['class'] and e['class'] == 'net' and e['family'] and e['family'] == 'unix':
return 'unix'
elif self.op_type(e) == 'file':
elif e['class'] == 'file' or self.op_type(e) == 'file':
return 'file'
elif e['operation'] == 'capable':
return 'capability'
@ -337,7 +337,7 @@ class ReadLog:
UnixRule.hashlog_from_event(self.hashlog[aamode][full_profile]['unix'], e)
return
elif self.op_type(e) == 'file':
elif e['class'] == 'file' or self.op_type(e) == 'file':
FileRule.hashlog_from_event(self.hashlog[aamode][full_profile]['file'], e)
elif e['operation'] == 'capable':