Marcus Rueckert
f270973a6c
Accepted submit request 57745 from user jeff_mahoney OBS-URL: https://build.opensuse.org/request/show/57745 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=1
58 lines
2.0 KiB
Plaintext
58 lines
2.0 KiB
Plaintext
From: Jeff Mahoney <jeffm@suse.com>
|
|
Subject: apparmor: Subdomain.pm: Fix handling of audits of unconfined processes
|
|
|
|
The version of AppArmor that was accepted into the mainline kernel
|
|
issues audit events for things like change_hat while unconfined.
|
|
Previous versions just returned -EPERM without the audit.
|
|
|
|
This results in logprof and friends spewing uninitialized value errors
|
|
when it hits events like:
|
|
type=AVC msg=audit(1291742101.899:220): apparmor="DENIED" operation="change_hat" info="unconfined" error=-1 pid=28005 comm="cron
|
|
|
|
... which happen any time an unconfined process does something with pam
|
|
when pam_apparmor is installed.
|
|
|
|
This patch skips those events.
|
|
|
|
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
|
---
|
|
utils/SubDomain.pm | 20 ++++++++++++++++----
|
|
1 file changed, 16 insertions(+), 4 deletions(-)
|
|
|
|
--- a/utils/SubDomain.pm
|
|
+++ b/utils/SubDomain.pm
|
|
@@ -2735,6 +2735,13 @@ sub add_event_to_tree ($) {
|
|
return if ($e->{operation} =~ /profile_set/);
|
|
|
|
my ($profile, $hat);
|
|
+
|
|
+ # The version of AppArmor that was accepted into the mainline kernel
|
|
+ # issues audit events for things like change_hat while unconfined.
|
|
+ # Previous versions just returned -EPERM without the audit so the
|
|
+ # events wouldn't have been picked up here.
|
|
+ return if (!$e->{profile});
|
|
+
|
|
# just convert new null profile style names to old before we begin processing
|
|
# profile and name can contain multiple layers of null- but all we care about
|
|
# currently is single level.
|
|
@@ -6625,10 +6632,15 @@ sub parse_event($) {
|
|
LibAppArmor::free_record($event);
|
|
|
|
#map new c and d to w as logprof doesn't support them yet
|
|
- $rmask =~ s/c/w/g;
|
|
- $rmask =~ s/d/w/g;
|
|
- $dmask =~ s/c/w/g;
|
|
- $dmask =~ s/d/w/g;
|
|
+ if ($rmask) {
|
|
+ $rmask =~ s/c/w/g;
|
|
+ $rmask =~ s/d/w/g;
|
|
+ }
|
|
+
|
|
+ if ($dmask) {
|
|
+ $dmask =~ s/c/w/g;
|
|
+ $dmask =~ s/d/w/g;
|
|
+ }
|
|
|
|
if ($rmask && !validate_log_mode(hide_log_mode($rmask))) {
|
|
fatal_error(sprintf(gettext('Log contains unknown mode %s.'),
|