[utils]$ cat /tmp/ptrace-audit-log-message
type=AVC msg=audit(1424582899.204:35736): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=5549 comm=4D6564696120447E6F646520233332 requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
[utils]$ sudo PYTHONPATH=. ./aa-logprof -f /tmp/ptrace-audit-log-message
Reading log entries from /tmp/ptrace-audit-log-message.
Updating AppArmor profiles in /etc/apparmor.d.
Traceback (most recent call last):
File "./aa-logprof", line 46, in <module>
apparmor.do_logprof_pass(logmark)
File "/home/steve/bzr/apparmor-master/utils/apparmor/aa.py", line 2287, in do_logprof_pass
log = log_reader.read_log(logmark)
File "/home/steve/bzr/apparmor-master/utils/apparmor/logparser.py", line 357, in read_log
event = self.parse_log_record(line)
File "/home/steve/bzr/apparmor-master/utils/apparmor/logparser.py", line 88, in parse_log_record
record_event = self.parse_event(record)
File "/home/steve/bzr/apparmor-master/utils/apparmor/logparser.py", line 128, in parse_event
raise AppArmorException(_('Log contains unknown mode %s') % rmask)
apparmor.common.AppArmorException: 'Log contains unknown mode traae'
looks like something in the python utils logparsing is transforming the denied 'trace' mask into 'traae', replacing 'c' with 'a'. This does not look to be a problem with libapparmor's logparsing itself, as the test program in it emits the following when pointed at the log message:
[utils]$ ../libraries/libapparmor/testsuite/test_multi.multi /tmp/ptrace-audit-log-message
START
File: ptrace-audit-log-message
Event type: AA_RECORD_DENIED
Audit ID: 1424582899.204:35736
Operation: ptrace
Mask: trace
Denied Mask: trace
Profile: /usr/lib/firefox/firefox{,*[^s][^h]}
Peer: /usr/lib/firefox/firefox{,*[^s][^h]}
Command: Media D~ode #32
PID: 5549
Epoch: 1424582899
Audit subid: 35736
Yes, that happens in logparser.py parse_event() which replaces c (create file) -> a and d (delete file) -> w.
We probably need to restrict that replacement to file-related operations, which also means to move it to add_event_to_tree() to avoid duplicating the list of operations.
Most important question: Is doing that replacement _only for file rules/events_ the correct behaviour, or are there other rule types that also need that replacement?