audit qualifier does not become effective

I've confirmed this with a simpler program/profile and 'ix' mode:

$ cat profile
#include <tunables/global>

profile audit-exec {
  #include <abstractions/base>

  audit /bin/true ix,
}
$ sudo apparmor_parser -r profile
$ cat test.c
#include <unistd.h>
#include <stdio.h>

int main(void)
{
 execl("/bin/true", "true", NULL);
 perror("execl");
 return 0;
}
$ gcc test.c -Wall -o test
$ aa-exec -p audit-exec -- ./test

There is no audit event for the execl(2) of /bin/true. If I change the rule to 'audit deny /bin/true x,' the execl(2) is denied and an audit event is generated.

That means that the bug does not allow confined programs to gain exec permissions in any way and the denial of exec still generates an audit event. This bug seems to only affect the auditing of allowed exec events.

I also verified that removing the 'audit /bin/true ix,' rule from the profile in comment #1 results in an audited denial.

Looks like a parser bug (tested with 2.9.1) - I get the same cache file with and without the audit keyword for the exec rule.

That reminds me that we had the same problem with "audit capability" (bug 1378091) - we should probably check _all_ code sections that handle the audit keyword ;-) (or simply create test profiles for each rule type with and without the audit keyword, which might be the faster solution)

So Using the test profile from comment #1 I dumped the permission states for the compiled policy and ended up with the following permissions table for the file dfa.

None of the entries have the permission flags set for the audit field so it looks like this is a bug in the apparmor_parser

apparmor_parser -QT -D dfa-states audit_profile
{1} <== (allow/deny/audit/quiet)
{55} (0x 10004/0/0/0)
{58} (0x 10004/0/0/0)
{78} (0x 10004/0/0/0)
{81} (0x 10004/0/0/0)
{82} (0x 10004/0/0/0)
{97} (0x 2800a/0/0/0)
{109} (0x 10004/0/0/0)
{110} (0x 10004/0/0/0)
{111} (0x 10004/0/0/0)
{112} (0x 10004/0/0/0)
{126} (0x 904241/0/0/0)
{127} (0x 3800e/0/0/0)
{139} (0x 10004/0/0/0)
{141} (0x 10004/0/0/0)
{143} (0x 10004/0/0/0)
{170} (0x 10004/0/0/0)
{173} (0x 10004/0/0/0)
{180} (0x 10004/0/0/0)
{184} (0x 10004/0/0/0)
{185} (0x 10004/0/0/0)
{186} (0x 10004/0/0/0)
{187} (0x 10004/0/0/0)
{188} (0x 10004/0/0/0)
{202} (0x 914245/0/0/0)
{205} (0x 110044/0/0/0)
{217} (0x 10004/0/0/0)
{218} (0x 10004/0/0/0)
{219} (0x 10004/0/0/0)
{220} (0x 10004/0/0/0)
{221} (0x 10004/0/0/0)
{249} (0x 10004/0/0/0)
{250} (0x 10004/0/0/0)
{251} (0x 10004/0/0/0)
{252} (0x 110044/0/0/0)
{253} (0x 10004/0/0/0)
{254} (0x 10004/0/0/0)
{255} (0x 10004/0/0/0)
{256} (0x 10004/0/0/0)
{257} (0x 10004/0/0/0)
{258} (0x 10004/0/0/0)
{267} (0x 10004/0/0/0)
{287} (0x 10004/0/0/0)
{288} (0x 10004/0/0/0)
{289} (0x 110044/0/0/0)
{291} (0x 10004/0/0/0)
{292} (0x 10004/0/0/0)
{293} (0x 10004/0/0/0)
{294} (0x 10004/0/0/0)
{295} (0x 10004/0/0/0)
{320} (0x 10004/0/0/0)
{321} (0x 110044/0/0/0)
{323} (0x 10004/0/0/0)
{324} (0x 10004/0/0/0)
{325} (0x 110044/0/0/0)
{326} (0x 10004/0/0/0)
{327} (0x 10004/0/0/0)
{352} (0x 10004/0/0/0)
{353} (0x 110044/0/0/0)
{354} (0x 10004/0/0/0)
{355} (0x 10004/0/0/0)
{357} (0x 10004/0/0/0)
{358} (0x 10004/0/0/0)
{364} (0x 110044/0/0/0)
{379} (0x 27f/0/0/0)
{381} (0x 10004/0/0/0)
{382} (0x 110044/0/0/0)
{383} (0x 10004/0/0/0)
{384} (0x 10004/0/0/0)
{385} (0x 10004/0/0/0)
{386} (0x 10004/0/0/0)
{387} (0x 10004/0/0/0)
{389} (0x 10004/0/0/0)
{390} (0x 10004/0/0/0)
{411} (0x 10004/0/0/0)
{412} (0x 110044/0/0/0)
{413} (0x 10004/0/0/0)
{414} (0x 10004/0/0/0)
{415} (0x 10004/0/0/0)
{416} (0x 110044/0/0/0)
{418} (0x 10004/0/0/0)
{435} (0x 10004/0/0/0)
{442} (0x 10004/0/0/0)
{443} (0x 110044/0/0/0)
{444} (0x 110044/0/0/0)
{445} (0x 10004/0/0/0)
{471} (0x 30/0/0/0)
{473} (0x 10004/0/0/0)
{474} (0x 110044/0/0/0)
{475} (0x 10004/0/0/0)
{502} (0x 10004/0/0/0)
{503} (0x 10004/0/0/0)
{504} (0x 110044/0/0/0)
{505} (0x 10004/0/0/0)
{512} (0x 10004/0/0/0)
{528} (0x 10004/0/0/0)
{529} (0x 10004/0/0/0)
{530} (0x 110044/0/0/0)
{531} (0x 10004/0/0/0)
{552} (0x 110044/0/0/0)
{553} (0x 10004/0/0/0)
{554} (0x 10004/0/0/0)
{577} (0x 10004/0/0/0)
{578} (0x 10004/0/0/0)
{598} (0x 10004/0/0/0)
{599} (0x 10004/0/0/0)
{616} (0x 10004/0/0/0)
{617} (0x 10004/0/0/0)
{632} (0x 10004/0/0/0)
{643} (0x 10004/0/0/0)
{672} (0x 914245/0/0/0)

Marking as public because this doesn't affect the enforcement of policy

Automated tests for this bug can be found here:

  https://lists.ubuntu.com/archives/apparmor/2015-March/007412.html

This bug was fixed in the package apparmor - 2.9.1-0ubuntu8

---------------
apparmor (2.9.1-0ubuntu8) vivid; urgency=medium

  [ Steve Beattie ]
  * debian/rules: run make check on the libapparmor library
  * add-chromium-browser.patch: add support for chromium policies
    (LP: #1419294)
  * debian/apparmor.{init,upstart}: add support for triggering
    aa-profile-hook runs when packages are updated via snappy system
    image updates (LP: #1434143)
  * parser-fix_modifier_compilation_+_tests.patch: fix compilation
    of audit modifiers for exec and pivot_root and deny modifiers on
    link rules as well as significantly expand related tests
    (LP: #1431717, LP: #1432045, LP: #1433829)
  * tests-fix_systemd_breakage_in_pivot_root-lp1436109.patch: work
    around pivot_root test failures due to init=systemd (LP: #1436109)
  * GDM_X_authority-lp1432126.patch: add location GDM creates Xauthority
    file to X abstraction (LP: #1432126)

  [ Jamie Strandboge ]
  * easyprof-framework-policy.patch: add --include-templates-dir and
    --include-policy-groups-dir options to easyprof to support framework
    policy on snappy

  [ Robie Basak ]
  * Add /lib/apparmor/profile-load; moved from
    /lib/init/apparmor-profile-load from the upstart package. A wrapper at
    the original path is now provided by init-system-helpers. (LP: #1432683)
 -- Jamie Strandboge <email address hidden> Sat, 28 Mar 2015 07:22:30 -0500

A fix was committed for this in AppArmor upstream in trunk revision 2901 and on the 2.9 branch in revision 2870.