audit qualifier does not become effective

Bug #1431717 reported by zhang.lei on 2015-03-13
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
High
Unassigned
apparmor (Ubuntu)
Undecided
Unassigned

Bug Description

1. profile:
#include <tunables/global>

/root/zz/a.out {
  #include <abstractions/base>

  audit /bin/bash ux,
  /etc/ld.so.preload r,

  profile subbash {
    #include <abstractions/base>
    #include <abstractions/bash>
    /etc/ld.so.preload r,
  }
}

2. source file of /root/zz/a.out
int main(){
        system("/bin/ls /");
        return 0;
}

3. when execute ./a.out, there is no record in /var/log/audit/audit.log.

Tyler Hicks (tyhicks) on 2015-03-13
Changed in apparmor:
status: New → Confirmed
Tyler Hicks (tyhicks) wrote :

I've confirmed this with a simpler program/profile and 'ix' mode:

$ cat profile
#include <tunables/global>

profile audit-exec {
  #include <abstractions/base>

  audit /bin/true ix,
}
$ sudo apparmor_parser -r profile
$ cat test.c
#include <unistd.h>
#include <stdio.h>

int main(void)
{
 execl("/bin/true", "true", NULL);
 perror("execl");
 return 0;
}
$ gcc test.c -Wall -o test
$ aa-exec -p audit-exec -- ./test

There is no audit event for the execl(2) of /bin/true. If I change the rule to 'audit deny /bin/true x,' the execl(2) is denied and an audit event is generated.

That means that the bug does not allow confined programs to gain exec permissions in any way and the denial of exec still generates an audit event. This bug seems to only affect the auditing of allowed exec events.

Tyler Hicks (tyhicks) wrote :

I also verified that removing the 'audit /bin/true ix,' rule from the profile in comment #1 results in an audited denial.

Christian Boltz (cboltz) wrote :

Looks like a parser bug (tested with 2.9.1) - I get the same cache file with and without the audit keyword for the exec rule.

That reminds me that we had the same problem with "audit capability" (bug 1378091) - we should probably check _all_ code sections that handle the audit keyword ;-) (or simply create test profiles for each rule type with and without the audit keyword, which might be the faster solution)

tags: added: aa-parser
John Johansen (jjohansen) wrote :

So Using the test profile from comment #1 I dumped the permission states for the compiled policy and ended up with the following permissions table for the file dfa.

None of the entries have the permission flags set for the audit field so it looks like this is a bug in the apparmor_parser

apparmor_parser -QT -D dfa-states audit_profile
{1} <== (allow/deny/audit/quiet)
{55} (0x 10004/0/0/0)
{58} (0x 10004/0/0/0)
{78} (0x 10004/0/0/0)
{81} (0x 10004/0/0/0)
{82} (0x 10004/0/0/0)
{97} (0x 2800a/0/0/0)
{109} (0x 10004/0/0/0)
{110} (0x 10004/0/0/0)
{111} (0x 10004/0/0/0)
{112} (0x 10004/0/0/0)
{126} (0x 904241/0/0/0)
{127} (0x 3800e/0/0/0)
{139} (0x 10004/0/0/0)
{141} (0x 10004/0/0/0)
{143} (0x 10004/0/0/0)
{170} (0x 10004/0/0/0)
{173} (0x 10004/0/0/0)
{180} (0x 10004/0/0/0)
{184} (0x 10004/0/0/0)
{185} (0x 10004/0/0/0)
{186} (0x 10004/0/0/0)
{187} (0x 10004/0/0/0)
{188} (0x 10004/0/0/0)
{202} (0x 914245/0/0/0)
{205} (0x 110044/0/0/0)
{217} (0x 10004/0/0/0)
{218} (0x 10004/0/0/0)
{219} (0x 10004/0/0/0)
{220} (0x 10004/0/0/0)
{221} (0x 10004/0/0/0)
{249} (0x 10004/0/0/0)
{250} (0x 10004/0/0/0)
{251} (0x 10004/0/0/0)
{252} (0x 110044/0/0/0)
{253} (0x 10004/0/0/0)
{254} (0x 10004/0/0/0)
{255} (0x 10004/0/0/0)
{256} (0x 10004/0/0/0)
{257} (0x 10004/0/0/0)
{258} (0x 10004/0/0/0)
{267} (0x 10004/0/0/0)
{287} (0x 10004/0/0/0)
{288} (0x 10004/0/0/0)
{289} (0x 110044/0/0/0)
{291} (0x 10004/0/0/0)
{292} (0x 10004/0/0/0)
{293} (0x 10004/0/0/0)
{294} (0x 10004/0/0/0)
{295} (0x 10004/0/0/0)
{320} (0x 10004/0/0/0)
{321} (0x 110044/0/0/0)
{323} (0x 10004/0/0/0)
{324} (0x 10004/0/0/0)
{325} (0x 110044/0/0/0)
{326} (0x 10004/0/0/0)
{327} (0x 10004/0/0/0)
{352} (0x 10004/0/0/0)
{353} (0x 110044/0/0/0)
{354} (0x 10004/0/0/0)
{355} (0x 10004/0/0/0)
{357} (0x 10004/0/0/0)
{358} (0x 10004/0/0/0)
{364} (0x 110044/0/0/0)
{379} (0x 27f/0/0/0)
{381} (0x 10004/0/0/0)
{382} (0x 110044/0/0/0)
{383} (0x 10004/0/0/0)
{384} (0x 10004/0/0/0)
{385} (0x 10004/0/0/0)
{386} (0x 10004/0/0/0)
{387} (0x 10004/0/0/0)
{389} (0x 10004/0/0/0)
{390} (0x 10004/0/0/0)
{411} (0x 10004/0/0/0)
{412} (0x 110044/0/0/0)
{413} (0x 10004/0/0/0)
{414} (0x 10004/0/0/0)
{415} (0x 10004/0/0/0)
{416} (0x 110044/0/0/0)
{418} (0x 10004/0/0/0)
{435} (0x 10004/0/0/0)
{442} (0x 10004/0/0/0)
{443} (0x 110044/0/0/0)
{444} (0x 110044/0/0/0)
{445} (0x 10004/0/0/0)
{471} (0x 30/0/0/0)
{473} (0x 10004/0/0/0)
{474} (0x 110044/0/0/0)
{475} (0x 10004/0/0/0)
{502} (0x 10004/0/0/0)
{503} (0x 10004/0/0/0)
{504} (0x 110044/0/0/0)
{505} (0x 10004/0/0/0)
{512} (0x 10004/0/0/0)
{528} (0x 10004/0/0/0)
{529} (0x 10004/0/0/0)
{530} (0x 110044/0/0/0)
{531} (0x 10004/0/0/0)
{552} (0x 110044/0/0/0)
{553} (0x 10004/0/0/0)
{554} (0x 10004/0/0/0)
{577} (0x 10004/0/0/0)
{578} (0x 10004/0/0/0)
{598} (0x 10004/0/0/0)
{599} (0x 10004/0/0/0)
{616} (0x 10004/0/0/0)
{617} (0x 10004/0/0/0)
{632} (0x 10004/0/0/0)
{643} (0x 10004/0/0/0)
{672} (0x 914245/0/0/0)

information type: Private Security → Public Security
John Johansen (jjohansen) wrote :

Marking as public because this doesn't affect the enforcement of policy

Tyler Hicks (tyhicks) wrote :

Automated tests for this bug can be found here:

  https://lists.ubuntu.com/archives/apparmor/2015-March/007412.html

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.9.1-0ubuntu8

---------------
apparmor (2.9.1-0ubuntu8) vivid; urgency=medium

  [ Steve Beattie ]
  * debian/rules: run make check on the libapparmor library
  * add-chromium-browser.patch: add support for chromium policies
    (LP: #1419294)
  * debian/apparmor.{init,upstart}: add support for triggering
    aa-profile-hook runs when packages are updated via snappy system
    image updates (LP: #1434143)
  * parser-fix_modifier_compilation_+_tests.patch: fix compilation
    of audit modifiers for exec and pivot_root and deny modifiers on
    link rules as well as significantly expand related tests
    (LP: #1431717, LP: #1432045, LP: #1433829)
  * tests-fix_systemd_breakage_in_pivot_root-lp1436109.patch: work
    around pivot_root test failures due to init=systemd (LP: #1436109)
  * GDM_X_authority-lp1432126.patch: add location GDM creates Xauthority
    file to X abstraction (LP: #1432126)

  [ Jamie Strandboge ]
  * easyprof-framework-policy.patch: add --include-templates-dir and
    --include-policy-groups-dir options to easyprof to support framework
    policy on snappy

  [ Robie Basak ]
  * Add /lib/apparmor/profile-load; moved from
    /lib/init/apparmor-profile-load from the upstart package. A wrapper at
    the original path is now provided by init-system-helpers. (LP: #1432683)
 -- Jamie Strandboge <email address hidden> Sat, 28 Mar 2015 07:22:30 -0500

Changed in apparmor (Ubuntu):
status: New → Fix Released
Steve Beattie (sbeattie) wrote :

A fix was committed for this in AppArmor upstream in trunk revision 2901 and on the 2.9 branch in revision 2870.

Changed in apparmor:
milestone: none → 2.9.2
status: Confirmed → Fix Committed
importance: Undecided → High
Steve Beattie (sbeattie) on 2015-04-24
Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers