From d9be57a1409d90e752a48c31d744cb43ffe2c03b Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Thu, 23 Feb 2017 01:01:51 +0100
Subject: [PATCH] Ignore change_hat events with error=-1 and "unconfined can
 not change_hat"

That's much better than crashing aa-logprof ;-)  (use the log line in
the added testcase if you want to see the crash)

Reported by pfak on IRC.


Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
---
 .../testsuite/test_multi/unconfined-change_hat.err   |  0
 .../testsuite/test_multi/unconfined-change_hat.in    |  1 +
 .../testsuite/test_multi/unconfined-change_hat.out   | 12 ++++++++++++
 .../test_multi/unconfined-change_hat.profile         |  2 ++
 utils/apparmor/logparser.py                          |  2 ++
 5 files changed, 17 insertions(+)
 create mode 100644 libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.err
 create mode 100644 libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.in
 create mode 100644 libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.out
 create mode 100644 libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.profile

diff --git a/libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.err b/libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.err
new file mode 100644
index 000000000..e69de29bb
diff --git a/libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.in b/libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.in
new file mode 100644
index 000000000..de66356b5
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.in
@@ -0,0 +1 @@
+Feb 21 23:22:01 mail-20170118 kernel: [1222198.459750] audit: type=1400 audit(1487719321.954:218): apparmor="ALLOWED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=19941 comm="apache2"
diff --git a/libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.out b/libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.out
new file mode 100644
index 000000000..c5c5ae138
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.out
@@ -0,0 +1,12 @@
+START
+File: unconfined-change_hat.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1487719321.954:218
+Operation: change_hat
+Profile: unconfined
+Command: apache2
+Info: unconfined can not change_hat
+ErrorCode: 1
+PID: 19941
+Epoch: 1487719321
+Audit subid: 218
diff --git a/libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.profile b/libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.profile
new file mode 100644
index 000000000..7848bac5e
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.profile
@@ -0,0 +1,2 @@
+profile unconfined {
+}
diff --git a/utils/apparmor/logparser.py b/utils/apparmor/logparser.py
index 01b81ab8b..2f64cc9c2 100644
--- a/utils/apparmor/logparser.py
+++ b/utils/apparmor/logparser.py
@@ -231,6 +231,8 @@ class ReadLog:
         if e['operation'] == 'change_hat':
             if aamode != 'HINT' and aamode != 'PERMITTING':
                 return None
+            if e['error_code'] == 1 and e['info'] == 'unconfined can not change_hat':
+                return None
             profile = e['name2']
             #hat = None
             if '//' in e['name2']: