AppArmor

libapparmor marks a valid-looking log event as AA_RECORD_INVALID

Bug #1682914 reported by Christian Boltz on 2017-04-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	New	Undecided	Unassigned

Bug Description

./test_multi.multi <(echo '[ 1365.276240] audit: type=1400 audit(1492193888.236:75): apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/sendmail" pid=2096 comm="postdrop" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/postdrop"')
START
File: 63
Event type: AA_RECORD_INVALID
Audit ID: 1492193888.236:75
Operation: file_inherit
Mask: send receive
Denied Mask: send receive
Profile: /usr/sbin/sendmail
Command: postdrop
PID: 2096
Network family: unix
Socket type: stream
Protocol: ip
Epoch: 1492193888
Audit subid: 75

It looks like the log line can be parsed successfully - why does libapparmor set the event type AA_RECORD_INVALID nevertheless?

(Tested with bzr trunk.)

Revision history for this message

John Johansen (jjohansen) wrote on 2017-04-14:

(12:19:29 PM) cboltz: just tested - if I remove peer_addr= and addr= it gets parsed as A_RECORD_DENIED
(12:21:22 PM) cboltz: so sbeattie's guess is half the answer ;-)
(12:24:19 PM) sbeattie: cboltz: sort of, in that I don't think libapparmor knows the "peer_addr" keyword, but does know the "addr" keyword, but the grammer doesn't expect an "addr" entry for that type of denial either, I guess.
(12:25:00 PM) sbeattie: (good luck to your own grammer parser in parsing that last sentence)
(12:25:35 PM) cboltz: oh, your sentence is easy to parse ;-)
(12:26:13 PM) cboltz: it's not the typical short english sentence
(12:26:27 PM) cboltz: but germans are used to long and nested sentences ;-)
(12:26:39 PM) ydev left the room (quit: Remote host closed the connection).
(12:32:36 PM) sbeattie: ah, the issue with addr is the grammer expects the right hand side to be a quoted string (or a hexstring) and 'none' is neither.
(12:33:27 PM) sbeattie: at least, based on a cursory exploration
(12:34:20 PM) cboltz: hmm, changing it to addr="addr" peer_addr="peeraddr" still leads to AA_RECORD_INVALID
(12:35:42 PM) sbeattie: cboltz: like I said, peer_addr is an unknown keyword to libapparmor, so it will always fail that. try adding just addr="whatever"
(12:36:54 PM) cboltz: indeed, that works

Revision history for this message

Steve Beattie (sbeattie) wrote on 2017-04-15: Re: [Bug 1682914] Re: libapparmor marks a valid-looking log event as AA_RECORD_INVALID

John,

What values should we be expecting for addr= and peeraddr=?

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.