More audit log output for debug stacking profiles.
Bug #1723441 reported by
Mikhail Kurinnoi
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Triaged
|
Wishlist
|
Unassigned |
Bug Description
I am faced with issue, that the stacking is hard to debug, since audit log don't provide any information that could help.
Is it possible add more audit log information output for stacking profiles, such as parent's profile name and full stacking line in profile="" instead of first profile used for stacking?
I am sure, we will also need this for Delegation feature, that planed in future.
To post a comment you must log in.
Its possible, but would only be for a debug mode with correct authority. Can you provide more info as to what the situation was that was hard to debug with just the profile name.
There are a few reasons that just the profile is reported.
- The whole stack may not be visible, and it would be considered an information leak to make that information available.
- If the denial is coming from one of apparmor's trusted helpers (dbus, ..) it may not even have access to the full context.
- Even when the stack is visible reporting the other parts of the stack not responsible for the denial can be confusing to those trying to develop policy, as separating out at the per profile level identifies the specific entities that have to be modified.
As for delegation yes some additional information is needed and will come in the form of "firefox/ /+12345" where the +12345 is unique to the set of delegation rules. Unfortunately this will either require digging into the system to find what that means. Or additional logging, but is required because logging all the delegation info is even worse than logging all the stacking info.
profile=