aa-logprof throws traceback when mask is 'trace'
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[utils]$ cat /tmp/ptrace-
type=AVC msg=audit(
[utils]$ sudo PYTHONPATH=. ./aa-logprof -f /tmp/ptrace-
Reading log entries from /tmp/ptrace-
Updating AppArmor profiles in /etc/apparmor.d.
Traceback (most recent call last):
File "./aa-logprof", line 46, in <module>
apparmor.
File "/home/
log = log_reader.
File "/home/
event = self.parse_
File "/home/
record_event = self.parse_
File "/home/
raise AppArmorExcepti
apparmor.
looks like something in the python utils logparsing is transforming the denied 'trace' mask into 'traae', replacing 'c' with 'a'. This does not look to be a problem with libapparmor's logparsing itself, as the test program in it emits the following when pointed at the log message:
[utils]$ ../libraries/
START
File: ptrace-
Event type: AA_RECORD_DENIED
Audit ID: 1424582899.
Operation: ptrace
Mask: trace
Denied Mask: trace
Profile: /usr/lib/
Peer: /usr/lib/
Command: Media D~ode #32
PID: 5549
Epoch: 1424582899
Audit subid: 35736
Related branches
Changed in apparmor: | |
status: | Fix Committed → Fix Released |
Yes, that happens in logparser.py parse_event() which replaces c (create file) -> a and d (delete file) -> w.
We probably need to restrict that replacement to file-related operations, which also means to move it to add_event_to_tree() to avoid duplicating the list of operations.
Most important question: Is doing that replacement _only for file rules/events_ the correct behaviour, or are there other rule types that also need that replacement?