Ignore ´//null-` peers in signal and ptrace events

Ideally we'd update them to the chosen exec target - but until this is implemented, it doesn't make sense to ask about adding a //null-* peer to a profile. This commit is a manual backport of 41df2ca366 / https://gitlab.com/apparmor/apparmor/-/merge_requests/1090 (with indentation changed to match the 3.1 branch)
2025-03-04 08:24:42 +01:00 · 2023-09-12 21:14:51 +02:00 · 2023-09-12 21:14:51 +02:00 · 7301aae216
commit 7301aae216
parent a6e7cea9ab
1 changed files with 6 additions and 0 deletions
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@ -1723,6 +1723,9 @@ def collapse_log(hashlog, ignore_null_profiles=True):

                ptrace = hashlog[aamode][full_profile]['ptrace']
                for peer in ptrace.keys():
+                    if '//null-' in peer:
+                        continue  # ignore null-* peers
+
                    for access in ptrace[peer].keys():
                        ptrace_event = PtraceRule(access, peer, log_event=True)
                        if not hat_exists or not is_known_rule(aa[profile][hat], 'ptrace', ptrace_event):
@ -1730,6 +1733,9 @@ def collapse_log(hashlog, ignore_null_profiles=True):

                sig = hashlog[aamode][full_profile]['signal']
                for peer in sig.keys():
+                    if '//null-' in peer:
+                        continue  # ignore null-* peers
+
                    for access in sig[peer].keys():
                        for signal in sig[peer][access].keys():
                            signal_event = SignalRule(access, signal, peer, log_event=True)