AppArmor

Bug #1358705
Comment #2

Comment 2 for bug 1358705

Revision history for this message

Paweł Krawczyk (pawel-krawczyk) wrote on 2014-08-19: Re: [Bug 1358705] Invalid mode found: AUDITING

Hi Christian,

I think these lines are causing it:

Aug 19 11:35:48 kautsky kernel: [ 1545.990026] type=1400 audit(1408448148.700:7093): apparmor="AUDIT" operation="accept" profile="/usr/sbin/nginx" pid=6660 comm="nginx" lport=80 family="inet" sock_type="stream" protocol=6
Aug 19 11:35:48 kautsky kernel: [ 1545.990060] type=1400 audit(1408448148.700:7094): apparmor="AUDIT" operation="accept" profile="/usr/sbin/nginx" pid=6660 comm="nginx" lport=80 family="inet" sock_type="stream" protocol=6

I was able to fix the crash by adding the following lines after line 1515 in /usr/lib/python3/dist-packages/apparmor/aa.py but this probably needs verifying for overall business logic compliance (as audit mode is combination of enforcement and complain):

elif aamode == 'AUDITING':
aaui.UI_Info(_('Audit-mode changes:'))

On 19 Aug 2014, at 12:26, Christian Boltz <email address hidden> wrote:

> Can you please attach some example log lines that cause this? (Typical
> log locations are /var/log/audit/audit.log, /var/log/messages or
> /var/log/syslog)
>
> This probably needs to be fixed in logparser.py add_event_to_tree()
> (which is expected to ignore audit events) - but I'll need the log
> sample to get it right.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1358705
>
> Title:
> Invalid mode found: AUDITING
>
> Status in AppArmor Linux application security framework:
> New
>
> Bug description:
> aa-logprof crashes with the following error:
>
> Invalid mode found: AUDITING
> File "/usr/sbin/aa-genprof", line 150, in <module>
> lp_ret = apparmor.do_logprof_pass(logmark, passno)
> File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2270, in do_logprof_pass
> ask_the_questions()
> File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1518, in ask_the_questions
> fatal_error(_('Invalid mode found: %s') % aamode)
> File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 133, in fatal_error
> tb_stack = traceback.format_list(traceback.extract_stack())
>
> when I have some processes running in AUDIT mode.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/apparmor/+bug/1358705/+subscriptions
>

--
Pawel Krawczyk
<email address hidden> +44 7879 180015
CISSP, OWASP

Hi Christian,

I think these lines are causing it:

elif aamode == 'AUDITING':
            aaui.UI_Info(_('Audit-mode changes:'))

On 19 Aug 2014, at 12:26, Christian Boltz <1358705@bugs.launchpad.net> wrote:

> Can you please attach some example log lines that cause this? (Typical
> log locations are /var/log/audit/audit.log, /var/log/messages or
> /var/log/syslog)
> 
> This probably needs to be fixed in logparser.py add_event_to_tree()
> (which is expected to ignore audit events) - but I'll need the log
> sample to get it right.
> 
> -- 
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1358705
> 
> Title:
>  Invalid mode found: AUDITING
> 
> Status in AppArmor Linux application security framework:
>  New
> 
> Bug description:
>  aa-logprof crashes with the following error:
> 
>  Invalid mode found: AUDITING
>    File "/usr/sbin/aa-genprof", line 150, in <module>
>      lp_ret = apparmor.do_logprof_pass(logmark, passno)
>    File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2270, in do_logprof_pass
>      ask_the_questions()
>    File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1518, in ask_the_questions
>      fatal_error(_('Invalid mode found: %s') % aamode)
>    File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 133, in fatal_error
>      tb_stack = traceback.format_list(traceback.extract_stack())
> 
>  when I have some processes running in AUDIT mode.
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/apparmor/+bug/1358705/+subscriptions
>

-- 
Pawel Krawczyk
pawel.krawczyk@hush.com +44 7879 180015
CISSP, OWASP