From 88595722f6ca0aab659598077df0ce93a9651a73 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Mon, 6 Sep 2021 16:54:33 +0200 Subject: [PATCH] Avoid aa-notify crash on log events without operation= Some STATUS log events trigger a crash in aa-notify because the log line doesn't have operation=. Examples are: type=AVC msg=audit(1630913351.586:4): apparmor="STATUS" info="AppArmor Filesystem Enabled" pid=1 comm="swapper/0" type=AVC msg=audit(1630913352.610:6): apparmor="STATUS" info="AppArmor sha1 policy hashing enabled" pid=1 comm="swapper/0" Fix this by not looking at log events without operation= Also add one of the example events as libapparmor testcase. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/194 --- .../testsuite/test_multi/status-filesystem-enabled.err | 0 .../testsuite/test_multi/status-filesystem-enabled.in | 1 + .../testsuite/test_multi/status-filesystem-enabled.out | 3 +++ utils/aa-notify | 2 +- 4 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 libraries/libapparmor/testsuite/test_multi/status-filesystem-enabled.err create mode 100644 libraries/libapparmor/testsuite/test_multi/status-filesystem-enabled.in create mode 100644 libraries/libapparmor/testsuite/test_multi/status-filesystem-enabled.out diff --git a/libraries/libapparmor/testsuite/test_multi/status-filesystem-enabled.err b/libraries/libapparmor/testsuite/test_multi/status-filesystem-enabled.err new file mode 100644 index 000000000..e69de29bb diff --git a/libraries/libapparmor/testsuite/test_multi/status-filesystem-enabled.in b/libraries/libapparmor/testsuite/test_multi/status-filesystem-enabled.in new file mode 100644 index 000000000..6a5cbdd90 --- /dev/null +++ b/libraries/libapparmor/testsuite/test_multi/status-filesystem-enabled.in @@ -0,0 +1 @@ +audit.log:type=AVC msg=audit(1630913351.586:4): apparmor="STATUS" info="AppArmor Filesystem Enabled" pid=1 comm="swapper/0" diff --git a/libraries/libapparmor/testsuite/test_multi/status-filesystem-enabled.out b/libraries/libapparmor/testsuite/test_multi/status-filesystem-enabled.out new file mode 100644 index 000000000..7bce27747 --- /dev/null +++ b/libraries/libapparmor/testsuite/test_multi/status-filesystem-enabled.out @@ -0,0 +1,3 @@ +START +File: status-filesystem-enabled.in +Event type: AA_RECORD_INVALID diff --git a/utils/aa-notify b/utils/aa-notify index 7eb036887..91d0f3b9c 100755 --- a/utils/aa-notify +++ b/utils/aa-notify @@ -324,7 +324,7 @@ def parse_logdata(logsource): event = LibAppArmor.parse_record(entry) # Only show actual events of contained programs and ignore among # others AppArmor profile reloads - if event.operation[0:8] != 'profile_': + if event.operation and event.operation[0:8] != 'profile_': yield event