logparser.py crash for change_hat event

Bug #1523297 reported by Christian Boltz on 2015-12-06
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Undecided
Christian Boltz
2.10
Undecided
Christian Boltz
2.9
Undecided
Christian Boltz

Bug Description

python3 aa-logprof -f <(echo 'type=AVC msg=audit(1449442292.901:961): apparmor="ALLOWED" operation="change_hat" profile="/usr/sbin/httpd{,2}-prefork" pid=8527 comm="httpd-prefork" target="/usr/sbin/httpd{,2}-prefork//HANDLING_UNTRUSTED_INPUT"')

results in
...
  File ".../utils/apparmor/logparser.py", line 265, in parse_event_for_tree
    if '//' in e['name']:
TypeError: argument of type 'NoneType' is not iterable

print(e) gives {
'operation': 'change_hat',
'resource': None,
'magic_token': 0,
'denied_mask': None,
'pid': 8527,
'error_code': 0,
'profile': '/usr/sbin/httpd{,2}-prefork',
'info': None,
'parent': 0,
'name2': '/usr/sbin/httpd{,2}-prefork//HANDLING_UNTRUSTED_INPUT',
'time': 1449442292,
'attr': None,
'active_hat': None,
'aamode': 'PERMITTING',
'task': 0,
'request_mask': None,
'name': None
}

'name' is None, so it's not too surprising to see a crash here. The more interesting question is _why_ 'name' is None...

In case it matters - the log line comes from kernel 4.3.0 on openSUSE Tumbleweed.

John Johansen (jjohansen) wrote :

change_hat does NOT log a name, only a target. Which is represented by name2 in the logparse

Christian Boltz (cboltz) wrote :

Patch sent to ML.

This bug survived for a very long time - even the old perl code gets it wrong ;-) (I'lll only fix the python code, which means 2.9 branch and newer)

Changed in apparmor:
assignee: nobody → Christian Boltz (cboltz)
Christian Boltz (cboltz) wrote :

Fix commited to bzr (trunk, 2.10 and 2.9 branch)

Changed in apparmor:
status: New → Fix Committed
milestone: none → 2.11
Christian Boltz (cboltz) on 2017-01-10
Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers