AppArmor

logparser.py: improve file vs. network event switch

Bug #1613061 reported by Christian Boltz on 2016-08-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	Fix Released	Undecided	Christian Boltz	AppArmor 2.11
	2.10	Fix Released	Undecided	Christian Boltz	AppArmor 2.10.2

Bug Description

It happened more than once that the audit.log contains network events with operation="file_whatever", and it also happened that events looking like network events actually are file events.

Currently we have a hotfix in place to avoid crashes, see
https://bugs.launchpad.net/apparmor/+bug/1577051 and
https://bugs.launchpad.net/apparmor/+bug/1582374

Unfortunately, this hotfix just ignores log events if they were sorted into the wrong category based on the operation= keyword.

logparser.py needs to be changed to decice about file vs. network using the event details instead of the operation= keyword.

Tags:

Related branches

lp:apparmor/2.12

lp:apparmor/2.10

Revision history for this message

Christian Boltz (cboltz) wrote on 2016-10-02:

See also https://bugs.launchpad.net/apparmor/+bug/1472368 for an example of operation="connect" which is actually a file event.

Revision history for this message

Christian Boltz (cboltz) wrote on 2016-12-06:

Implemented in bzr trunk r3594 and 2.10 branch r3369.

Changed in apparmor:
milestone:	none → 2.11
status:	New → Fix Committed
assignee:	nobody → Christian Boltz (cboltz)

Christian Boltz (cboltz) on 2017-01-10

Changed in apparmor:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.