audit qualifier does not become effective
Bug #1431717 reported by
zhang.lei
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
High
|
Unassigned | ||
apparmor (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
1. profile:
#include <tunables/global>
/root/zz/a.out {
#include <abstractions/base>
audit /bin/bash ux,
/etc/
profile subbash {
#include <abstractions/base>
#include <abstractions/bash>
/etc/
}
}
2. source file of /root/zz/a.out
int main(){
return 0;
}
3. when execute ./a.out, there is no record in /var/log/
Related branches
Changed in apparmor: | |
status: | New → Confirmed |
Changed in apparmor: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
I've confirmed this with a simpler program/profile and 'ix' mode:
$ cat profile
#include <tunables/global>
profile audit-exec {
#include <abstractions/base>
audit /bin/true ix,
}
$ sudo apparmor_parser -r profile
$ cat test.c
#include <unistd.h>
#include <stdio.h>
int main(void)
{
execl("/bin/true", "true", NULL);
perror("execl");
return 0;
}
$ gcc test.c -Wall -o test
$ aa-exec -p audit-exec -- ./test
There is no audit event for the execl(2) of /bin/true. If I change the rule to 'audit deny /bin/true x,' the execl(2) is denied and an audit event is generated.
That means that the bug does not allow confined programs to gain exec permissions in any way and the denial of exec still generates an audit event. This bug seems to only affect the auditing of allowed exec events.