Avoid aa-notify crash on log events without operation= (!797) · Merge requests · AppArmor / apparmor

Christian Boltz requested to merge cboltz/apparmor:cboltz-notify-fix into master Sep 06, 2021

Some STATUS log events trigger a crash in aa-notify because the log line doesn't have operation=. Examples are:

type=AVC msg=audit(1630913351.586:4): apparmor="STATUS" info="AppArmor Filesystem Enabled" pid=1 comm="swapper/0"

type=AVC msg=audit(1630913352.610:6): apparmor="STATUS" info="AppArmor sha1 policy hashing enabled" pid=1 comm="swapper/0"

Fix this by not looking at log events without operation=

Also add one of the example events as libapparmor testcase.

Fixes: #194 (closed)

I propose this patch for 3.0 and master. (In 2.13 and older, we still have the perl version of aa-notify.)

Avoid aa-notify crash on log events without operation=

Merge request reports