From 16e6d5ffd97717d793ef4e75dd01b5cf99b9f88a Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Wed, 8 Jul 2015 22:34:38 +0200 Subject: [PATCH] Ignore file_perm events without request_mask For some (not yet known) reason, we get file_perm events without request_mask set, which causes an aa-logprof crash. Reproducer log entry: Jun 19 12:00:55 piorun kernel: [4475115.459952] audit: type=1400 audit(1434708055.676:19629): apparmor="ALLOWED" operation="file_perm" profile="/usr/sbin/apache2" pid=3512 comm="apache2" laddr=::ffff:193.0.236.159 lport=80 faddr=::ffff:192.168.103.80 fport=61985 family="inet6" sock_type="stream" protocol=6 This patch changes logparser.py to ignore those events. References: https://bugs.launchpad.net/apparmor/+bug/1466812/ Acked-by: Steve Beattie for trunk and 2.9 --- utils/apparmor/logparser.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/utils/apparmor/logparser.py b/utils/apparmor/logparser.py index 40d4ad967..8bf4f6ac3 100644 --- a/utils/apparmor/logparser.py +++ b/utils/apparmor/logparser.py @@ -253,6 +253,11 @@ class ReadLog: 'rename_dest', 'unlink', 'rmdir', 'symlink_create', 'link', 'sysctl', 'getattr', 'setattr', 'xattr'] ): + # for some reason, we get file_perm log events without request_mask, see https://bugs.launchpad.net/apparmor/+bug/1466812/ + if e['operation'] == 'file_perm' and e['request_mask'] is None: + self.debug_logger.debug('UNHANDLED (missing request_mask): %s' % e) + return None + # Map c (create) to a and d (delete) to w (logging is more detailed than the profile language) rmask = e['request_mask'] rmask = rmask.replace('c', 'a')