logprof does not properly assign log events when profile is already defined
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| AppArmor |
New
|
Undecided
|
Unassigned | ||
Bug Description
When a log contains events for the null-profile and when a profile already exists that contains an exec rule that matches part of the null-profile event stream. The null profile stream of events that belong to the profile specified by the exec rule will not get properly assigned, resulting in logprof re-asking questions about even flow decisions that have already been made.
Note that if the event flow decision was made in the current run of logprof the events get properly assigned it is only when logprof is quit and restarted that the null profile event stream is problematic
Test
1. obtain a log file with null-profile events that must track across an exec.
2. run logprof on the file
3. create transition and new profile that events should be assigned to.
4. save without completing profile so events in log are outstanding
5. restart logprof on log file
logprof won't ask the transition question (which it shouldn't) but starts asking the the child profile events should included in the current (parent) profile.
| John Johansen (jjohansen) wrote | #1 |
| Christian Boltz (cboltz) wrote | #2 |
Need to test if this is the case on newer logs that track across the fork with pids and the newer null-profile format