aa-logprof attaches events to wrong profile on pid reuse
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned |
Bug Description
(reported by NickJr on IRC)
Mar 28 09:00:01 hostname kernel: [712243.093475] audit: type=1400 audit(152395560
Apr 17 11:31:17 hostname kernel: [646966.179533] audit: type=1400 audit(152223667
This will cause aa-logprof to ask if the php7.0 profile (!) should be allowed to exec postfix/pickup (verified in lastest git code as of today). The reason is that both events have the same pid, which got reused after some weeks.
-> The log parsing should look at the profile name, not at the pid.
(Needless to say that this is not an easy change ;-) so doing it will probably need time.)