mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 22:35:35 +00:00
Code Issues Releases Wiki Activity

Handle mount events/log entries without class

Browse Source 
audit.log entries for mount events don't always include `class=mount`,
but can still be the base for mount rules.

Change logparser.py to also consider `operation=mount` as a mount event.

Actually we already had such a log and profile in our collection
(testcase_mount_01), but since it existed years before MountRule was
implemented, it was excluded in test-libapparmor-test_multi.py.
Therefore we didn't notice that it failed to produce a profile rule when
MountRule was introduced.

Remove testcase_mount_01 from the list of known failures so that it gets
tested - and fix the syntax error in the hand-written
testcase_mount_01.profile.

Also add testcase_mount_02 which is a mount event without fstype,
srcname and class.
This commit is contained in:
Christian Boltz
2024-05-08 21:56:42 +02:00
parent d9207e39eb
commit b475ed0dec
7 changed files with 21 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
utils/apparmor/logparser.py
View File

@@ -226,7 +226,7 @@ class ReadLog:
self.hashlog[aamode][full_profile]['io_uring'][e['denied_mask']][e['peer_profile']] = True
return
elif e['class'] and e['class'] == 'mount':
elif e['class'] and e['class'] == 'mount' or e['operation'] == 'mount':
if e['flags'] != None:
e['flags'] = ('=', e['flags'])
if e['fs_type'] != None:

3
utils/test/test-libapparmor-test_multi.py
View File

@@ -153,8 +153,6 @@ log_to_skip = [
# tests that do not produce the expected profile (checked with assertNotEqual)
log_to_profile_known_failures = [
'testcase_mount_01', # mount rules not yet supported in logparser
'testcase_pivotroot_01', # pivot_rot not yet supported in logparser
# exec events
@@ -177,7 +175,6 @@ log_to_profile_skip = [
# tests that cause an empty log
log_to_profile_known_empty_log = [
'change_onexec_lp1648143', # change_onexec not supported in logparser.py yet (and the log is about "no new privs" error)
'testcase_mount_01', # mount rules not supported in logparser
'testcase_pivotroot_01', # pivotroot not yet supported in logparser
'ptrace_garbage_lp1689667_1', # no denied= in log
'ptrace_no_denied_mask', # no denied= in log