utils: look for 'file' class when parsing logs

Since kernel commit 8c4b785a86be the class is available to check if the log belongs to which class. This fixes cases where the logparser is not able to distinguish between network and file operations. This issue does not manifest previous to and including apparmor-4.0 because we did not process auditing logs then. Fixes: apparmor/apparmor#478 Reported-by: vyomydv <vyom.yadav@canonical.com> Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

utils: look for 'file' class when parsing logs
5592b18b · Georgia Garcia · 72f9952a · 5592b18b · 5592b18b · 5592b18b
Commit 5592b18b authored 1 month ago by Georgia Garcia
--- a/libraries/libapparmor/testsuite/test_multi/testcase36.err
+++ b/libraries/libapparmor/testsuite/test_multi/testcase36.err
--- a/libraries/libapparmor/testsuite/test_multi/testcase36.in
+++ b/libraries/libapparmor/testsuite/test_multi/testcase36.in
+2025-01-27T13:01:36.226987+05:30 sec-plucky-amd64 kernel: audit: type=1400 audit(1737963096.225:3240): apparmor="AUDIT" operation="getattr" class="file" profile="/usr/sbin/mosquitto" name="/etc/mosquitto/pwfile" pid=8119 comm="mosquitto" requested_mask="r" fsuid=122 ouid=122
--- a/libraries/libapparmor/testsuite/test_multi/testcase36.out
+++ b/libraries/libapparmor/testsuite/test_multi/testcase36.out
+START
+File: testcase36.in
+Event type: AA_RECORD_AUDIT
+Audit ID: 1737963096.225:3240
+Operation: getattr
+Mask: r
+fsuid: 122
+ouid: 122
+Profile: /usr/sbin/mosquitto
+Name: /etc/mosquitto/pwfile
+Command: mosquitto
+PID: 8119
+Class: file
+Epoch: 1737963096
+Audit subid: 3240
--- a/libraries/libapparmor/testsuite/test_multi/testcase36.profile
+++ b/libraries/libapparmor/testsuite/test_multi/testcase36.profile
+/usr/sbin/mosquitto {
+  /etc/mosquitto/pwfile r,
+
+}
--- a/utils/apparmor/logparser.py
+++ b/utils/apparmor/logparser.py
@@ -131,7 +131,7 @@ class ReadLog:
            return 'pivot_root'
        elif e['class'] and e['class'] == 'net' and e['family'] and e['family'] == 'unix':
            return 'unix'
-        elif self.op_type(e) == 'file':
+        elif e['class'] and e['class'] == 'file' or self.op_type(e) == 'file':
            return 'file'
        elif e['operation'] == 'capable':
            return 'capability'
@@ -337,7 +337,7 @@ class ReadLog:
            UnixRule.hashlog_from_event(self.hashlog[aamode][full_profile]['unix'], e)
            return

-        elif self.op_type(e) == 'file':
+        elif e['class'] and e['class'] == 'file' or self.op_type(e) == 'file':
            FileRule.hashlog_from_event(self.hashlog[aamode][full_profile]['file'], e)

        elif e['operation'] == 'capable':