libapparmor marks a valid-looking log event as AA_RECORD_INVALID
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned |
Bug Description
./test_multi.multi <(echo '[ 1365.276240] audit: type=1400 audit(149219388
START
File: 63
Event type: AA_RECORD_INVALID
Audit ID: 1492193888.236:75
Operation: file_inherit
Mask: send receive
Denied Mask: send receive
Profile: /usr/sbin/sendmail
Command: postdrop
PID: 2096
Network family: unix
Socket type: stream
Protocol: ip
Epoch: 1492193888
Audit subid: 75
It looks like the log line can be parsed successfully - why does libapparmor set the event type AA_RECORD_INVALID nevertheless?
(Tested with bzr trunk.)
(12:19:29 PM) cboltz: just tested - if I remove peer_addr= and addr= it gets parsed as A_RECORD_DENIED "peeraddr" still leads to AA_RECORD_INVALID
(12:21:22 PM) cboltz: so sbeattie's guess is half the answer ;-)
(12:24:19 PM) sbeattie: cboltz: sort of, in that I don't think libapparmor knows the "peer_addr" keyword, but does know the "addr" keyword, but the grammer doesn't expect an "addr" entry for that type of denial either, I guess.
(12:25:00 PM) sbeattie: (good luck to your own grammer parser in parsing that last sentence)
(12:25:35 PM) cboltz: oh, your sentence is easy to parse ;-)
(12:26:13 PM) cboltz: it's not the typical short english sentence
(12:26:27 PM) cboltz: but germans are used to long and nested sentences ;-)
(12:26:39 PM) ydev left the room (quit: Remote host closed the connection).
(12:32:36 PM) sbeattie: ah, the issue with addr is the grammer expects the right hand side to be a quoted string (or a hexstring) and 'none' is neither.
(12:33:27 PM) sbeattie: at least, based on a cursory exploration
(12:34:20 PM) cboltz: hmm, changing it to addr="addr" peer_addr=
(12:35:42 PM) sbeattie: cboltz: like I said, peer_addr is an unknown keyword to libapparmor, so it will always fail that. try adding just addr="whatever"
(12:36:54 PM) cboltz: indeed, that works