From 56b55aa0dd839803461bb9cc15a5477b047b7771 Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Wed, 13 Dec 2017 20:16:29 +0100
Subject: [PATCH 1/2] support 'owner' file events in logparser.py

logparser.py failed to notice if file events are owner-only in modern
audit.log (using fsuid=... and ouid=...).

This patch adds a comparison of fsuid and ouid and marks file events
as 'owner' if they match.

Note that log events without fsuid=... or ouid=... will have
18446744073709551615 as fsuid / ouid value (that's 2^64 - 1).
'None' would clearly be better ;-)

References: https://bugs.launchpad.net/apparmor/+bug/1538340
---
 utils/apparmor/logparser.py  | 11 +++++++++++
 utils/test/test-logparser.py |  2 ++
 2 files changed, 13 insertions(+)

diff --git a/utils/apparmor/logparser.py b/utils/apparmor/logparser.py
index 265c8fb60..0e74c3f52 100644
--- a/utils/apparmor/logparser.py
+++ b/utils/apparmor/logparser.py
@@ -118,6 +118,10 @@ class ReadLog:
         ev['protocol'] = event.net_protocol
         ev['sock_type'] = event.net_sock_type
 
+        if event.ouid != 18446744073709551615:  # 2^64 - 1
+            ev['fsuid'] = event.fsuid
+            ev['ouid'] = event.ouid
+
         if ev['operation'] and ev['operation'] == 'signal':
             ev['signal'] = event.signal
             ev['peer'] = event.peer
@@ -268,6 +272,13 @@ class ReadLog:
             if not validate_log_mode(hide_log_mode(dmask)):
                 raise AppArmorException(_('Log contains unknown mode %s') % dmask)
 
+            if e.get('ouid') is not None and e['fsuid'] == e['ouid']:
+                # mark as "owner" event
+                if '::' not in rmask:
+                    rmask = '%s::' % rmask
+                if '::' not in dmask:
+                    dmask = '%s::' % dmask
+
             # convert rmask and dmask to mode arrays
             e['denied_mask'],  e['name2'] = log_str_to_mode(e['profile'], dmask, e['name2'])
             e['request_mask'], e['name2'] = log_str_to_mode(e['profile'], rmask, e['name2'])
diff --git a/utils/test/test-logparser.py b/utils/test/test-logparser.py
index 6a7728a8f..e72a96750 100644
--- a/utils/test/test-logparser.py
+++ b/utils/test/test-logparser.py
@@ -73,11 +73,13 @@ class TestParseEvent(unittest.TestCase):
             'attr': None,
             'denied_mask': 'r',
             'error_code': 13,
+            'fsuid': 1002,
             'info': 'Failed name lookup - disconnected path',
             'magic_token': 0,
             'name': 'var/run/nscd/passwd',
             'name2': None,
             'operation': 'file_mmap',
+            'ouid': 0,
             'parent': 0,
             'pid': 25333,
             'profile': '/sbin/klogd',

From 861d8b43492748dc71e9a08816c1f1ccdd8558b6 Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Wed, 13 Dec 2017 20:19:06 +0100
Subject: [PATCH 2/2] Update libapparmor testsuite profiles with owner rules

Several log examples result in rules where the 'owner' conditional
should be added. With logparser.py fixed to handle owner-only events, we
need to add the owner conditional to several test_multi/*.profile files.

I verified all log files for the changed profiles and made sure that
- the log line contains fsuid= and ouid=
- fsuid == ouid

I also did a quick check on all log events containing ouid= and for
those with fsuid == ouid, I checked that the profile has the owner
conditional.

Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.11
(see mail from 2017-07-31)
---
 .../libapparmor/testsuite/test_multi/avc_syslog_01.profile      | 2 +-
 .../libapparmor/testsuite/test_multi/syslog_audit_01.profile    | 2 +-
 .../testsuite/test_multi/testcase_dmesg_link_01.profile         | 2 +-
 .../testsuite/test_multi/testcase_encoded_comm.profile          | 2 +-
 .../testsuite/test_multi/testcase_encoded_profile.profile       | 2 +-
 .../testsuite/test_multi/testcase_syslog_link_01.profile        | 2 +-
 .../testsuite/test_multi/testcase_syslog_read.profile           | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/libraries/libapparmor/testsuite/test_multi/avc_syslog_01.profile b/libraries/libapparmor/testsuite/test_multi/avc_syslog_01.profile
index b81a22eeb..7f25b4353 100644
--- a/libraries/libapparmor/testsuite/test_multi/avc_syslog_01.profile
+++ b/libraries/libapparmor/testsuite/test_multi/avc_syslog_01.profile
@@ -1,4 +1,4 @@
 /usr/sbin/cupsd {
-  /boot/ r,
+  owner /boot/ r,
 
 }
diff --git a/libraries/libapparmor/testsuite/test_multi/syslog_audit_01.profile b/libraries/libapparmor/testsuite/test_multi/syslog_audit_01.profile
index bdfb17e24..dd7325a88 100644
--- a/libraries/libapparmor/testsuite/test_multi/syslog_audit_01.profile
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_audit_01.profile
@@ -1,4 +1,4 @@
 /home/ubuntu/bzr/apparmor/tests/regression/apparmor/mkdir {
-  /tmp/sdtest.7283-14445-r31VAP/tmpdir/ w,
+  owner /tmp/sdtest.7283-14445-r31VAP/tmpdir/ w,
 
 }
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_link_01.profile b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_link_01.profile
index 4b0bfbc20..48a164a82 100644
--- a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_link_01.profile
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_link_01.profile
@@ -1,4 +1,4 @@
 /home/ubuntu/bzr/apparmor/tests/regression/apparmor/link {
-  /tmp/sdtest.19088-12382-HWH57d/linkfile l,
+  owner /tmp/sdtest.19088-12382-HWH57d/linkfile l,
 
 }
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.profile b/libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.profile
index 0ecb2f40f..0c09d907b 100644
--- a/libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.profile
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.profile
@@ -1,4 +1,4 @@
 "/home/steve/tmp/my prog.sh" {
-  "/home/steve/tmp/my prog.sh" r,
+  owner "/home/steve/tmp/my prog.sh" r,
 
 }
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_encoded_profile.profile b/libraries/libapparmor/testsuite/test_multi/testcase_encoded_profile.profile
index 47f6519ed..28a60c1f9 100644
--- a/libraries/libapparmor/testsuite/test_multi/testcase_encoded_profile.profile
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_encoded_profile.profile
@@ -1,4 +1,4 @@
 profile "test space" {
-  /lib/x86_64-linux-gnu/libdl-2.13.so r,
+  owner /lib/x86_64-linux-gnu/libdl-2.13.so r,
 
 }
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_syslog_link_01.profile b/libraries/libapparmor/testsuite/test_multi/testcase_syslog_link_01.profile
index 4b0bfbc20..48a164a82 100644
--- a/libraries/libapparmor/testsuite/test_multi/testcase_syslog_link_01.profile
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_syslog_link_01.profile
@@ -1,4 +1,4 @@
 /home/ubuntu/bzr/apparmor/tests/regression/apparmor/link {
-  /tmp/sdtest.19088-12382-HWH57d/linkfile l,
+  owner /tmp/sdtest.19088-12382-HWH57d/linkfile l,
 
 }
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_syslog_read.profile b/libraries/libapparmor/testsuite/test_multi/testcase_syslog_read.profile
index f0485ed31..3afa58fd4 100644
--- a/libraries/libapparmor/testsuite/test_multi/testcase_syslog_read.profile
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_syslog_read.profile
@@ -1,4 +1,4 @@
 /usr/sbin/vsftpd {
-  /home/bane/foo r,
+  owner /home/bane/foo r,
 
 }