Ubuntu
apparmor package

  1. Bug #340183
  2. Comment #3

Comment 3 for bug 340183

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I can confirm that aa-genprof is not working right.

TEST CASE:
1. create $HOME/foobar.sh:
2. sudo aa-genprof.sh $HOME/foobar.sh
3. in another window, run $HOME/foobar.sh
4. in the aa-genprof window, do (S)can -- it does not prompt. Tried (S)can again, still no prompt.

Here are the logs:
Mar 11 07:32:59 myhost kernel: [50805.318822] type=1505 audit(1236774779.608:368): operation="profile_load" name="/home/jamie/foobar.sh" name2="default" pid=13649
Mar 11 07:33:07 myhost kernel: [50812.879558] type=1502 audit(1236774787.169:369): operation="inode_permission" requested_mask="::r" denied_mask="::r" fsuid=1000 name="/bin/dash" pid=13726 profile="/home/jamie/foobar.sh"
Mar 11 07:33:07 myhost kernel: [50812.879589] type=1502 audit(1236774787.169:370): operation="file_mmap" requested_mask="::mr" denied_mask="::r" fsuid=1000 name="/bin/dash" pid=13726 profile="/home/jamie/foobar.sh"
Mar 11 07:33:07 myhost kernel: [50812.879606] type=1502 audit(1236774787.169:371): operation="file_mmap" requested_mask="::r" denied_mask="::r" fsuid=1000 name="/bin/dash" pid=13726 profile="/home/jamie/foobar.sh"
Mar 11 07:33:07 myhost kernel: [50812.880123] type=1502 audit(1236774787.172:372): operation="file_mprotect" requested_mask="::r" denied_mask="::r" fsuid=1000 name="/bin/dash" pid=13726 profile="/home/jamie/foobar.sh"
Mar 11 07:33:07 myhost kernel: [50812.880417] type=1502 audit(1236774787.172:373): operation="inode_permission" requested_mask="r::" denied_mask="r::" fsuid=1000 name="/home/jamie/foobar.sh" pid=13726 profile="/home/jamie/foobar.sh"
Mar 11 07:33:07 myhost kernel: [50812.880817] type=1502 audit(1236774787.172:374): operation="inode_permission" requested_mask="::x" denied_mask="::x" fsuid=1000 name="/bin/ls" pid=13727 profile="/home/jamie/foobar.sh"
Mar 11 07:33:07 myhost kernel: [50812.880842] type=1504 audit(1236774787.172:375): operation="exec" info="set profile" pid=13727 profile="null-complain-profile"
Mar 11 07:33:07 myhost kernel: [50812.880853] type=1502 audit(1236774787.172:376): operation="file_permission" requested_mask="::r" denied_mask="::r" fsuid=1000 name="/bin/ls" pid=13727 profile="null-complain-profile"
Mar 11 07:33:07 myhost kernel: [50812.880906] type=1502 audit(1236774787.172:377): operation="file_permission" requested_mask="::r" denied_mask="::r" fsuid=1000 name="/bin/ls" pid=13727 profile="null-complain-profile"
Mar 11 07:33:18 myhost kernel: [50824.044090] __ratelimit: 4179 callbacks suppressed
Mar 11 07:33:18 myhost kernel: [50824.044094] type=1505 audit(1236774798.332:1771): operation="profile_replace" name="/home/jamie/foobar.sh" name2="default" pid=13870

Here is the generated profile:
# Last Modified: Wed Mar 11 07:32:59 2009
#include <tunables/global>

/home/jamie/foobar.sh {
  #include <abstractions/base>

  /bin/dash ix,

}