Merge branch 'cboltz-logprof-owner' into 'master'

let aa-logprof detect 'owner' events (again) See merge request apparmor/apparmor!34
2025-08-30 13:58:22 +00:00 · 2017-12-22 20:16:16 +00:00
parent f8b208ee80 861d8b4349
commit c3b0a3e512
9 changed files with 20 additions and 7 deletions
--- a/libraries/libapparmor/testsuite/test_multi/avc_syslog_01.profile
+++ b/libraries/libapparmor/testsuite/test_multi/avc_syslog_01.profile
@@ -1,4 +1,4 @@
 /usr/sbin/cupsd {
-  /boot/ r,
+  owner /boot/ r,

 }
--- a/libraries/libapparmor/testsuite/test_multi/syslog_audit_01.profile
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_audit_01.profile
@@ -1,4 +1,4 @@
 /home/ubuntu/bzr/apparmor/tests/regression/apparmor/mkdir {
-  /tmp/sdtest.7283-14445-r31VAP/tmpdir/ w,
+  owner /tmp/sdtest.7283-14445-r31VAP/tmpdir/ w,

 }
--- a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_link_01.profile
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_link_01.profile
@@ -1,4 +1,4 @@
 /home/ubuntu/bzr/apparmor/tests/regression/apparmor/link {
-  /tmp/sdtest.19088-12382-HWH57d/linkfile l,
+  owner /tmp/sdtest.19088-12382-HWH57d/linkfile l,

 }
--- a/libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.profile
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.profile
@@ -1,4 +1,4 @@
 "/home/steve/tmp/my prog.sh" {
-  "/home/steve/tmp/my prog.sh" r,
+  owner "/home/steve/tmp/my prog.sh" r,

 }
--- a/libraries/libapparmor/testsuite/test_multi/testcase_encoded_profile.profile
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_encoded_profile.profile
@@ -1,4 +1,4 @@
 profile "test space" {
-  /lib/x86_64-linux-gnu/libdl-2.13.so r,
+  owner /lib/x86_64-linux-gnu/libdl-2.13.so r,

 }
--- a/libraries/libapparmor/testsuite/test_multi/testcase_syslog_link_01.profile
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_syslog_link_01.profile
@@ -1,4 +1,4 @@
 /home/ubuntu/bzr/apparmor/tests/regression/apparmor/link {
-  /tmp/sdtest.19088-12382-HWH57d/linkfile l,
+  owner /tmp/sdtest.19088-12382-HWH57d/linkfile l,

 }
--- a/libraries/libapparmor/testsuite/test_multi/testcase_syslog_read.profile
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_syslog_read.profile
@@ -1,4 +1,4 @@
 /usr/sbin/vsftpd {
-  /home/bane/foo r,
+  owner /home/bane/foo r,

 }
--- a/utils/apparmor/logparser.py
+++ b/utils/apparmor/logparser.py
@@ -118,6 +118,10 @@ class ReadLog:
        ev['protocol'] = event.net_protocol
        ev['sock_type'] = event.net_sock_type

+        if event.ouid != 18446744073709551615:  # 2^64 - 1
+            ev['fsuid'] = event.fsuid
+            ev['ouid'] = event.ouid
+
        if ev['operation'] and ev['operation'] == 'signal':
            ev['signal'] = event.signal
            ev['peer'] = event.peer
@@ -268,6 +272,13 @@ class ReadLog:
            if not validate_log_mode(hide_log_mode(dmask)):
                raise AppArmorException(_('Log contains unknown mode %s') % dmask)

+            if e.get('ouid') is not None and e['fsuid'] == e['ouid']:
+                # mark as "owner" event
+                if '::' not in rmask:
+                    rmask = '%s::' % rmask
+                if '::' not in dmask:
+                    dmask = '%s::' % dmask
+
            # convert rmask and dmask to mode arrays
            e['denied_mask'],  e['name2'] = log_str_to_mode(e['profile'], dmask, e['name2'])
            e['request_mask'], e['name2'] = log_str_to_mode(e['profile'], rmask, e['name2'])
--- a/utils/test/test-logparser.py
+++ b/utils/test/test-logparser.py
@@ -73,11 +73,13 @@ class TestParseEvent(unittest.TestCase):
            'attr': None,
            'denied_mask': 'r',
            'error_code': 13,
+            'fsuid': 1002,
            'info': 'Failed name lookup - disconnected path',
            'magic_token': 0,
            'name': 'var/run/nscd/passwd',
            'name2': None,
            'operation': 'file_mmap',
+            'ouid': 0,
            'parent': 0,
            'pid': 25333,
            'profile': '/sbin/klogd',