logparser.py: ignore network events with 'send receive'

We already ignore network events that look like file events (based on the operation keyword) if they have a request_mask of 'send' or 'receive' to avoid aa-logprof crashes because of "unknown" permissions. It turned out that both can happen at once, so we should also ignore this case. Also add the now-ignored log event as test_multi testcase. References: https://bugs.launchpad.net/apparmor/+bug/1577051 #13 Acked-by: Tyler Hicks <tyhicks@canonical.com> for trunk, 2.10 and 2.9.
2025-03-05 17:01:00 +01:00 · 2016-07-30 00:44:18 +02:00 · 2016-07-30 00:44:18 +02:00 · 2a929f3f1c
commit 2a929f3f1c
parent ec4de6e081
4 changed files with 21 additions and 1 deletions
--- a/libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.err
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.err
--- a/libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in
@ -0,0 +1 @@
+Jul 29 11:42:05 files kernel: [483212.877816] audit: type=1400 audit(1469785325.122:21021): apparmor="ALLOWED" operation="file_inherit" profile="/usr/bin/nginx-amplify-agent.py//null-/bin/dash" pid=18239 comm="sh" laddr=192.168.10.3 lport=50758 faddr=54.153.70.241 fport=443 family="inet" sock_type="stream" protocol=6 requested_mask="send receive" denied_mask="send receive"
--- a/libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out
@ -0,0 +1,19 @@
+START
+File: testcase_network_send_receive.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1469785325.122:21021
+Operation: file_inherit
+Mask: send receive
+Denied Mask: send receive
+Profile: /usr/bin/nginx-amplify-agent.py//null-/bin/dash
+Command: sh
+PID: 18239
+Network family: inet
+Socket type: stream
+Protocol: tcp
+Local addr: 192.168.10.3
+Foreign addr: 54.153.70.241
+Local port: 50758
+Foreign port: 443
+Epoch: 1469785325
+Audit subid: 21021
--- a/utils/apparmor/logparser.py
+++ b/utils/apparmor/logparser.py
@ -292,7 +292,7 @@ class ReadLog:
            # sometimes network events come with an e['operation'] that matches the list of file operations
            # see https://bugs.launchpad.net/apparmor/+bug/1577051 and https://bugs.launchpad.net/apparmor/+bug/1582374
            # XXX these events are network events, so we should map them as such
-            if e['request_mask'] in ('send', 'receive'):
+            if 'send' in e['request_mask'] or 'receive' in e['request_mask']:
                self.debug_logger.debug('UNHANDLED (request_mask is send or receive): %s' % e)
                return None
				`@ -0,0 +1 @@`
				`Jul 29 11:42:05 files kernel: [483212.877816] audit: type=1400 audit(1469785325.122:21021): apparmor="ALLOWED" operation="file_inherit" profile="/usr/bin/nginx-amplify-agent.py//null-/bin/dash" pid=18239 comm="sh" laddr=192.168.10.3 lport=50758 faddr=54.153.70.241 fport=443 family="inet" sock_type="stream" protocol=6 requested_mask="send receive" denied_mask="send receive"`