14.04 kernel does not log exec properly and aa-logprof fails
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned | ||
apparmor (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
linux (Ubuntu) |
Confirmed
|
Medium
|
Unassigned |
Bug Description
Ubuntu 14.04's kernel (tested 3.13.0-32-generic) does not log exec properly in audit.log when in complain mode, so aa-logprof will not work.
Here is test.bash
-------------
#!/bin/bash
echo "hi"
ls /tmp
find /tmp
-------------
Here is /etc/apparmor.
-------------
# Last Modified: Mon Feb 15 16:05:05 2016
#include <tunables/global>
/root/tmp/test.bash flags=(complain) {
#include <abstractions/base>
#include <abstractions/
#include <abstractions/
/bin/ls r,
/proc/filesystems r,
/proc/meminfo r,
/root/tmp/ r,
/root/
/tmp/** rwlk,
/usr/bin/find r,
}
-------------
Here are the results in audit.log with a stock kernel, and a vanilla+grsecurity 4.3.5 kernel:
# uname -a
Linux apparmortest 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
enforce mode:
-------------
type=AVC msg=audit(
type=SYSCALL msg=audit(
type=AVC msg=audit(
type=SYSCALL msg=audit(
[this is full output]
-------------
complain mode:
-------------
type=AVC msg=audit(
type=SYSCALL msg=audit(
[... much longer...]]
-------------
# uname -a
Linux apparmortest 4.3.5-grsec+ #1 SMP Fri Feb 12 18:53:52 CET 2016 x86_64 x86_64 x86_64 GNU/Linux
enforce
-------------
type=AVC msg=audit(
type=SYSCALL msg=audit(
type=UNKNOWN[1327] msg=audit(
type=AVC msg=audit(
type=SYSCALL msg=audit(
type=UNKNOWN[1327] msg=audit(
-------------
complain
-------------
type=AVC msg=audit(
type=SYSCALL msg=audit(
-------------
Notice that the name="/bin/ls" is in the enforce mode log for both kernels, and in the complain mode log for kernel 4.3.5. It is missing from the complain mode kernel 3.13.
And another problem I found while failing to reproduce the above problem. This was with a profile made with aa-genprof on the bash executable (copied to ~/tmp/), without any more rules added. I could not reproduce this problem with the grsec kernel, so I'll just report them together.
-------------
# aa-logprof
Reading log entries from /var/log/
Updating AppArmor profiles in /etc/apparmor.d.
Traceback (most recent call last):
File "/usr/sbin/
apparmor.
File "/usr/lib/
log = log_reader.
File "/usr/lib/
self.
File "/usr/lib/
raise AppArmorExcepti
apparmor.
-------------
the problem line (requested_mask and denied_mask are blank):
-------------
type=AVC msg=audit(
-------------
Changed in linux (Ubuntu): | |
importance: | Undecided → Medium |
This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:
apport-collect 1545776
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.