From b475ed0dec1bcf735cf2d97e8fb1ba8024d4e8cc Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Wed, 8 May 2024 21:56:42 +0200 Subject: [PATCH] Handle mount events/log entries without class audit.log entries for mount events don't always include `class=mount`, but can still be the base for mount rules. Change logparser.py to also consider `operation=mount` as a mount event. Actually we already had such a log and profile in our collection (testcase_mount_01), but since it existed years before MountRule was implemented, it was excluded in test-libapparmor-test_multi.py. Therefore we didn't notice that it failed to produce a profile rule when MountRule was introduced. Remove testcase_mount_01 from the list of known failures so that it gets tested - and fix the syntax error in the hand-written testcase_mount_01.profile. Also add testcase_mount_02 which is a mount event without fstype, srcname and class. --- .../testsuite/test_multi/testcase_mount_01.profile | 2 +- .../testsuite/test_multi/testcase_mount_02.err | 0 .../testsuite/test_multi/testcase_mount_02.in | 1 + .../testsuite/test_multi/testcase_mount_02.out | 14 ++++++++++++++ .../testsuite/test_multi/testcase_mount_02.profile | 4 ++++ utils/apparmor/logparser.py | 2 +- utils/test/test-libapparmor-test_multi.py | 3 --- 7 files changed, 21 insertions(+), 5 deletions(-) create mode 100644 libraries/libapparmor/testsuite/test_multi/testcase_mount_02.err create mode 100644 libraries/libapparmor/testsuite/test_multi/testcase_mount_02.in create mode 100644 libraries/libapparmor/testsuite/test_multi/testcase_mount_02.out create mode 100644 libraries/libapparmor/testsuite/test_multi/testcase_mount_02.profile diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_mount_01.profile b/libraries/libapparmor/testsuite/test_multi/testcase_mount_01.profile index ecdf67104..329511dcb 100644 --- a/libraries/libapparmor/testsuite/test_multi/testcase_mount_01.profile +++ b/libraries/libapparmor/testsuite/test_multi/testcase_mount_01.profile @@ -1,4 +1,4 @@ /home/ubuntu/bzr/apparmor/tests/regression/apparmor/mount { - mount fstype=ext2 options="rw, mand" /dev/loop0/ -> /tmp/sdtest.19033-29001-MPfz98/mountpoint/, + mount fstype=(ext2) options=(mand, rw) /dev/loop0/ -> /tmp/sdtest.19033-29001-MPfz98/mountpoint/, } diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_mount_02.err b/libraries/libapparmor/testsuite/test_multi/testcase_mount_02.err new file mode 100644 index 000000000..e69de29bb diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_mount_02.in b/libraries/libapparmor/testsuite/test_multi/testcase_mount_02.in new file mode 100644 index 000000000..00a90dabb --- /dev/null +++ b/libraries/libapparmor/testsuite/test_multi/testcase_mount_02.in @@ -0,0 +1 @@ +type=AVC msg=audit(1715045678.914:344186): apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="steam" name="/newroot/dev/" pid=26487 comm="srt-bwrap" flags="rw, nosuid, nodev, remount, bind, silent, relatime" diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_mount_02.out b/libraries/libapparmor/testsuite/test_multi/testcase_mount_02.out new file mode 100644 index 000000000..1487dfcf5 --- /dev/null +++ b/libraries/libapparmor/testsuite/test_multi/testcase_mount_02.out @@ -0,0 +1,14 @@ +START +File: testcase_mount_02.in +Event type: AA_RECORD_ALLOWED +Audit ID: 1715045678.914:344186 +Operation: mount +Profile: steam +Name: /newroot/dev/ +Command: srt-bwrap +Info: failed flags match +ErrorCode: 13 +PID: 26487 +Flags: rw, nosuid, nodev, remount, bind, silent, relatime +Epoch: 1715045678 +Audit subid: 344186 diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_mount_02.profile b/libraries/libapparmor/testsuite/test_multi/testcase_mount_02.profile new file mode 100644 index 000000000..275d93136 --- /dev/null +++ b/libraries/libapparmor/testsuite/test_multi/testcase_mount_02.profile @@ -0,0 +1,4 @@ +profile steam { + mount options=(bind, nodev, nosuid, relatime, remount, rw, silent) -> /newroot/dev/, + +} diff --git a/utils/apparmor/logparser.py b/utils/apparmor/logparser.py index eba4a889b..743ef4901 100644 --- a/utils/apparmor/logparser.py +++ b/utils/apparmor/logparser.py @@ -226,7 +226,7 @@ class ReadLog: self.hashlog[aamode][full_profile]['io_uring'][e['denied_mask']][e['peer_profile']] = True return - elif e['class'] and e['class'] == 'mount': + elif e['class'] and e['class'] == 'mount' or e['operation'] == 'mount': if e['flags'] != None: e['flags'] = ('=', e['flags']) if e['fs_type'] != None: diff --git a/utils/test/test-libapparmor-test_multi.py b/utils/test/test-libapparmor-test_multi.py index 831ce4e96..d7bd9af51 100644 --- a/utils/test/test-libapparmor-test_multi.py +++ b/utils/test/test-libapparmor-test_multi.py @@ -153,8 +153,6 @@ log_to_skip = [ # tests that do not produce the expected profile (checked with assertNotEqual) log_to_profile_known_failures = [ - 'testcase_mount_01', # mount rules not yet supported in logparser - 'testcase_pivotroot_01', # pivot_rot not yet supported in logparser # exec events @@ -177,7 +175,6 @@ log_to_profile_skip = [ # tests that cause an empty log log_to_profile_known_empty_log = [ 'change_onexec_lp1648143', # change_onexec not supported in logparser.py yet (and the log is about "no new privs" error) - 'testcase_mount_01', # mount rules not supported in logparser 'testcase_pivotroot_01', # pivotroot not yet supported in logparser 'ptrace_garbage_lp1689667_1', # no denied= in log 'ptrace_no_denied_mask', # no denied= in log