AppArmor

aa-logprof doesn't support unix rules/events

Bug #1528778 reported by QkiZ on 2015-12-23

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	New	Undecided	Unassigned
	apparmor (Ubuntu)	New	Wishlist	Unassigned

Bug Description

aa-logprof ignores denied messages in kern.log. Logs sended to apparmor [at] cboltz.de.

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: apparmor 2.10-0ubuntu6
ProcVersionSignature: Ubuntu 4.2.0-21.25-generic 4.2.6
Uname: Linux 4.2.0-21-generic x86_64
ApportVersion: 2.19.1-0ubuntu5
Architecture: amd64
Date: Wed Dec 23 09:22:44 2015
InstallationDate: Installed on 2014-04-19 (612 days ago)
InstallationMedia: Ubuntu-Server 14.04 LTS "Trusty Tahr" - Release amd64 (20140416.2)
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-4.2.0-21-generic root=/dev/mapper/ubuntu-root ro splash elevator=cfq nomdmonddf nomdmonisw crashkernel=384M-:128M
SourcePackage: apparmor
Syslog:

UpgradeStatus: Upgraded to wily on 2015-11-14 (38 days ago)

Tags:

Revision history for this message

QkiZ (qkiz) wrote on 2015-12-23:

ApparmorPackages.txt Edit (445 bytes, text/plain; charset="utf-8")
ApparmorStatusOutput.txt Edit (3.7 KiB, text/plain; charset="utf-8")
Dependencies.txt Edit (5.5 KiB, text/plain; charset="utf-8")
JournalErrors.txt Edit (690.8 KiB, text/plain; charset="utf-8")
KernLog.txt Edit (783.2 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (303 bytes, text/plain; charset="utf-8")
PstreeP.txt Edit (56.9 KiB, text/plain; charset="utf-8")

Revision history for this message

Christian Boltz (cboltz) wrote on 2015-12-23:

That's no a bug, it's a missing feature ;-) - aa-logprof doesn't have support for unix rules/events yet, so you'll need to allow this by manually adding rules.

Nevertheless, thanks for the log - having some example log lines is always helpful.

Dec 21 09:49:19 th1nkp4d kernel: [ 1807.331151] audit: type=1400 audit(1450687759.549:3582): apparmor="ALLOWED" operation="connect" profile="/usr/sbin/cupsd" pid=6049 comm="cupsd" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@2F746D702F65736574732E736F636B0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"

BTW: peer_addr decodes to

# aa-decode 2F746D702F65736574732E736F636B
Decoded: /tmp/esets.sock

(I wonder if the tons of 0000000 are intentional - John, can you clarify this, please?)

summary:

- aa-logprof ignores denied messages
+ aa-logprof doesn't support unix rules/events

Revision history for this message

QkiZ (qkiz) wrote on 2015-12-23:

Yup, aa-logprof doesn't recognize unix rules and events. If I add manually this rules, after next aa-logprof running and answering questions, all added unix rules are deleted from profile files.

Revision history for this message

Christian Boltz (cboltz) wrote on 2015-12-23:

Loosing unix rules is already fixed in bzr (trunk r3310, 2.10 branch r3292, 2.9 branch r2981) since a week, see bug 1522938.

BTW: Given how many issues you find, maybe you should switch to bzr trunk? ;-)

tags:

added: aa-tools

Revision history for this message

QkiZ (qkiz) wrote on 2015-12-23:

I will :)

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2016-01-06:

The zeros are probably intentional; the name of abstract unix sockets allows ascii NULs, and they may or may not be relevant based on the address length as reported in the C APIs. It's a terrible interface all around.. (and now that I just now realize that a unix socket with name @00...00 len=2 is different from unix socket with name @00...00 len=4 I wonder what breaks if these two are actually used somewhere. Hmm.)

Revision history for this message

Christian Boltz (cboltz) wrote on 2016-01-06:

Well, maybe things are even more interesting:
- the log message doesn't specify the len, so a socket name ending with \0 _will_ cause trouble
- for some reason, the log line above gets parsed as AA_RECORD_INVALID:

START
File: testcase_syslog_unix_01.in
Event type: AA_RECORD_INVALID
Audit ID: 1450687759.549:3582
Operation: connect
Mask: send receive connect
Denied Mask: send connect
Profile: /usr/sbin/cupsd
Command: cupsd
PID: 6049
Network family: unix
Socket type: stream
Protocol: ip
Epoch: 1450687759
Audit subid: 3582

- the peer address isn't included in the parsed log - but that might be a side effect and/or reason for AA_RECORD_INVALID

Mathew Hodson (mhodson) on 2016-04-21

Changed in apparmor (Ubuntu):
importance:	Undecided → Wishlist

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.