Handle mount events/log entries without class

audit.log entries for mount events don't always include `class=mount`,
but can still be the base for mount rules.

Change logparser.py to also consider `operation=mount` as a mount event.

Actually we already had such a log and profile in our collection
(testcase_mount_01), but since it existed years before MountRule was
implemented, it was excluded in test-libapparmor-test_multi.py.
Therefore we didn't notice that it failed to produce a profile rule when
MountRule was introduced.

Remove testcase_mount_01 from the list of known failures so that it gets
tested - and fix the syntax error in the hand-written
testcase_mount_01.profile.

Also add testcase_mount_02 which is a mount event without fstype,
srcname and class.

libraries/libapparmor/testsuite/test_multi/testcase_mount_01.profile

@@ -1,4 +1,4 @@
 /home/ubuntu/bzr/apparmor/tests/regression/apparmor/mount {
-  mount fstype=ext2 options="rw, mand" /dev/loop0/ -> /tmp/sdtest.19033-29001-MPfz98/mountpoint/,
+  mount fstype=(ext2) options=(mand, rw) /dev/loop0/ -> /tmp/sdtest.19033-29001-MPfz98/mountpoint/,
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_mount_02.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1715045678.914:344186): apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="steam" name="/newroot/dev/" pid=26487 comm="srt-bwrap" flags="rw, nosuid, nodev, remount, bind, silent, relatime"

libraries/libapparmor/testsuite/test_multi/testcase_mount_02.out

@@ -0,0 +1,14 @@
+START
+File: testcase_mount_02.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1715045678.914:344186
+Operation: mount
+Profile: steam
+Name: /newroot/dev/
+Command: srt-bwrap
+Info: failed flags match
+ErrorCode: 13
+PID: 26487
+Flags: rw, nosuid, nodev, remount, bind, silent, relatime
+Epoch: 1715045678
+Audit subid: 344186

libraries/libapparmor/testsuite/test_multi/testcase_mount_02.profile

@@ -0,0 +1,4 @@
+profile steam {
+  mount options=(bind, nodev, nosuid, relatime, remount, rw, silent) -> /newroot/dev/,
+
+}

utils/apparmor/logparser.py

@@ -226,7 +226,7 @@ class ReadLog:
             self.hashlog[aamode][full_profile]['io_uring'][e['denied_mask']][e['peer_profile']] = True
             return
 
-        elif e['class'] and e['class'] == 'mount':
+        elif e['class'] and e['class'] == 'mount' or e['operation'] == 'mount':
             if e['flags'] != None:
                 e['flags'] = ('=', e['flags'])
             if e['fs_type'] != None:

utils/test/test-libapparmor-test_multi.py

@@ -153,8 +153,6 @@ log_to_skip = [
 
 # tests that do not produce the expected profile (checked with assertNotEqual)
 log_to_profile_known_failures = [
-    'testcase_mount_01',  # mount rules not yet supported in logparser
-
     'testcase_pivotroot_01',  # pivot_rot not yet supported in logparser
 
     # exec events
@@ -177,7 +175,6 @@ log_to_profile_skip = [
 # tests that cause an empty log
 log_to_profile_known_empty_log = [
     'change_onexec_lp1648143',  # change_onexec not supported in logparser.py yet (and the log is about "no new privs" error)
-    'testcase_mount_01',  # mount rules not supported in logparser
     'testcase_pivotroot_01',  # pivotroot not yet supported in logparser
     'ptrace_garbage_lp1689667_1',  # no denied= in log
     'ptrace_no_denied_mask',  # no denied= in log