mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 16:35:02 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge [3.1] collapse_log(): Attach null-* events to correct target profile

Browse source 
ask_exec() and ask_addhat() set
hashlog[aamode][full_profile]['final_name'].

While this was used to get profile and hat split, it was not used as key
for log_dict. This resulted in entries like
log_dict['PERMITTING']['foo//null-/usr/bin/cat']
which are obviously wrong.

Use final_name as log_dict key so that we end up with (assuming child
exec was selected)
log_dict['PERMITTING']['foo///usr/bin/cat']

This fixes a regression introduced in 3.1.

This is the 3.1 version of https://gitlab.com/apparmor/apparmor/-/merge_requests/1091

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1092
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This commit is contained in:
John Johansen 2023-08-24 01:16:45 +00:00
commit 75d1b3f2ee
1 changed files with 14 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
utils/apparmor/aa.py
View file

@ -1643,16 +1643,18 @@ def collapse_log(hashlog, ignore_null_profiles=True):
log_dict[aamode] = {} log_dict[aamode] = {}
for full_profile in hashlog[aamode].keys(): for full_profile in hashlog[aamode].keys():
if hashlog[aamode][full_profile]['final_name'] == '': final_name = hashlog[aamode][full_profile]['final_name']
if final_name == '':
continue # user chose "deny" or "unconfined" for this target, therefore ignore log events continue # user chose "deny" or "unconfined" for this target, therefore ignore log events
if '//null-' in hashlog[aamode][full_profile]['final_name'] and ignore_null_profiles: if '//null-' in final_name and ignore_null_profiles:
# ignore null-* profiles (probably nested childs) # ignore null-* profiles (probably nested childs)
# otherwise we'd accidentally create a null-* hat in the profile which is worse # otherwise we'd accidentally create a null-* hat in the profile which is worse
# XXX drop this once we support nested childs # XXX drop this once we support nested childs
continue continue
profile, hat = split_name(hashlog[aamode][full_profile]['final_name']) # XXX limited to two levels to avoid an Exception on nested child profiles or nested null-* profile, hat = split_name(final_name) # XXX limited to two levels to avoid an Exception on nested child profiles or nested null-*
# TODO: support nested child profiles # TODO: support nested child profiles
# used to avoid to accidentally initialize aa[profile][hat] or calling is_known_rule() on events for a non-existing profile # used to avoid to accidentally initialize aa[profile][hat] or calling is_known_rule() on events for a non-existing profile
@ -1661,9 +1663,9 @@ def collapse_log(hashlog, ignore_null_profiles=True):
hat_exists = True hat_exists = True
if True: if True:
if not log_dict[aamode].get(full_profile): if not log_dict[aamode].get(final_name):
# with execs in ix mode, we already have ProfileStorage initialized and should keep the content it already has # with execs in ix mode, we already have ProfileStorage initialized and should keep the content it already has
log_dict[aamode][full_profile] = ProfileStorage(profile, hat, 'collapse_log()') log_dict[aamode][final_name] = ProfileStorage(profile, hat, 'collapse_log()')
for path in hashlog[aamode][full_profile]['path'].keys(): for path in hashlog[aamode][full_profile]['path'].keys():
for owner in hashlog[aamode][full_profile]['path'][path]: for owner in hashlog[aamode][full_profile]['path'][path]:
@ -1676,18 +1678,18 @@ def collapse_log(hashlog, ignore_null_profiles=True):
file_event = FileRule(path, mode, None, FileRule.ALL, owner=owner, log_event=True) file_event = FileRule(path, mode, None, FileRule.ALL, owner=owner, log_event=True)
if not hat_exists or not is_known_rule(aa[profile][hat], 'file', file_event): if not hat_exists or not is_known_rule(aa[profile][hat], 'file', file_event):
log_dict[aamode][full_profile]['file'].add(file_event) log_dict[aamode][final_name]['file'].add(file_event)
# TODO: check for existing rules with this path, and merge them into one rule # TODO: check for existing rules with this path, and merge them into one rule
for cap in hashlog[aamode][full_profile]['capability'].keys(): for cap in hashlog[aamode][full_profile]['capability'].keys():
cap_event = CapabilityRule(cap, log_event=True) cap_event = CapabilityRule(cap, log_event=True)
if not hat_exists or not is_known_rule(aa[profile][hat], 'capability', cap_event): if not hat_exists or not is_known_rule(aa[profile][hat], 'capability', cap_event):
log_dict[aamode][full_profile]['capability'].add(cap_event) log_dict[aamode][final_name]['capability'].add(cap_event)
for cp in hashlog[aamode][full_profile]['change_profile'].keys(): for cp in hashlog[aamode][full_profile]['change_profile'].keys():
cp_event = ChangeProfileRule(None, ChangeProfileRule.ALL, cp, log_event=True) cp_event = ChangeProfileRule(None, ChangeProfileRule.ALL, cp, log_event=True)
if not hat_exists or not is_known_rule(aa[profile][hat], 'change_profile', cp_event): if not hat_exists or not is_known_rule(aa[profile][hat], 'change_profile', cp_event):
log_dict[aamode][full_profile]['change_profile'].add(cp_event) log_dict[aamode][final_name]['change_profile'].add(cp_event)
dbus = hashlog[aamode][full_profile]['dbus'] dbus = hashlog[aamode][full_profile]['dbus']
for access in dbus: # noqa: E271 for access in dbus: # noqa: E271
@ -1710,21 +1712,21 @@ def collapse_log(hashlog, ignore_null_profiles=True):
raise AppArmorBug('unexpected dbus access: {}'.format(access)) raise AppArmorBug('unexpected dbus access: {}'.format(access))
if not hat_exists or not is_known_rule(aa[profile][hat], 'dbus', dbus_event): if not hat_exists or not is_known_rule(aa[profile][hat], 'dbus', dbus_event):
log_dict[aamode][full_profile]['dbus'].add(dbus_event) log_dict[aamode][final_name]['dbus'].add(dbus_event)
nd = hashlog[aamode][full_profile]['network'] nd = hashlog[aamode][full_profile]['network']
for family in nd.keys(): for family in nd.keys():
for sock_type in nd[family].keys(): for sock_type in nd[family].keys():
net_event = NetworkRule(family, sock_type, log_event=True) net_event = NetworkRule(family, sock_type, log_event=True)
if not hat_exists or not is_known_rule(aa[profile][hat], 'network', net_event): if not hat_exists or not is_known_rule(aa[profile][hat], 'network', net_event):
log_dict[aamode][full_profile]['network'].add(net_event) log_dict[aamode][final_name]['network'].add(net_event)
ptrace = hashlog[aamode][full_profile]['ptrace'] ptrace = hashlog[aamode][full_profile]['ptrace']
for peer in ptrace.keys(): for peer in ptrace.keys():
for access in ptrace[peer].keys(): for access in ptrace[peer].keys():
ptrace_event = PtraceRule(access, peer, log_event=True) ptrace_event = PtraceRule(access, peer, log_event=True)
if not hat_exists or not is_known_rule(aa[profile][hat], 'ptrace', ptrace_event): if not hat_exists or not is_known_rule(aa[profile][hat], 'ptrace', ptrace_event):
log_dict[aamode][full_profile]['ptrace'].add(ptrace_event) log_dict[aamode][final_name]['ptrace'].add(ptrace_event)
sig = hashlog[aamode][full_profile]['signal'] sig = hashlog[aamode][full_profile]['signal']
for peer in sig.keys(): for peer in sig.keys():
@ -1732,7 +1734,7 @@ def collapse_log(hashlog, ignore_null_profiles=True):
for signal in sig[peer][access].keys(): for signal in sig[peer][access].keys():
signal_event = SignalRule(access, signal, peer, log_event=True) signal_event = SignalRule(access, signal, peer, log_event=True)
if not hat_exists or not is_known_rule(aa[profile][hat], 'signal', signal_event): if not hat_exists or not is_known_rule(aa[profile][hat], 'signal', signal_event):
log_dict[aamode][full_profile]['signal'].add(signal_event) log_dict[aamode][final_name]['signal'].add(signal_event)
return log_dict return log_dict