aa-decode can't decode the audit log which contains the proctitle string

Bug #1736841 reported by DaiQianwen on 2017-12-07
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Undecided
Unassigned
apparmor (Ubuntu)
Undecided
Unassigned

Bug Description

[Description of Problem]
aa-decode can't decode the audit log which contains the proctitle string.
ubuntu kernel version: 4.4.0-87-generic
AppArmor tool version: 2.10.95

[How To Reproduce]
eg.
# apparmor_parser -r /etc/apparmor.d/usr.sbin.tcpdump
# cat /var/log/audit/audit.log
type=AVC msg=audit(1512030686.240:8756): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/tcpdump" pid=7464 comm="apparmor_parser"
type=SYSCALL msg=audit(1512030686.240:8756): arch=c000003e syscall=1 success=yes exit=26273 a0=5 a1=2717b20 a2=66a1 a3=0 items=0 ppid=7463 pid=7464 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=9 comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null)
type=PROCTITLE msg=audit(1512030686.240:8756): proctitle=61707061726D6F725F706172736572002D72002F6574632F61707061726D6F722E642F7573722E7362696E2E74637064756D70

# aa-decode 61707061726D6F725F706172736572002D72002F6574632F61707061726D6F722E642F7573722E7362696E2E74637064756D70
Decoded: apparmor_parser-r/etc/apparmor.d/usr.sbin.tcpdump

# cat /var/log/audit/audit.log | aa-decode
type=DAEMON_START msg=audit(1512030654.972:7242): auditd start, ver=2.4.5 format=raw kernel=4.4.0-87-generic auid=4294967295 pid=7428 subj=unconfined res=success
type=AVC msg=audit(1512030686.240:8756): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/tcpdump" pid=7464 comm="apparmor_parser"
type=SYSCALL msg=audit(1512030686.240:8756): arch=c000003e syscall=1 success=yes exit=26273 a0=5 a1=2717b20 a2=66a1 a3=0 items=0 ppid=7463 pid=7464 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=9 comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null)
type=PROCTITLE msg=audit(1512030686.240:8756): proctitle=61707061726D6F725F706172736572002D72002F6574632F61707061726D6F722E642F7573722E7362696E2E74637064756D70

[Actual Result]
aa-decode can decode a single string, but can not take an audit log on standard input and convert the hex-encoded string.

[Expected Result]
# cat /var/log/audit/audit.log | aa-decode
type=DAEMON_START msg=audit(1512030654.972:7242): auditd start, ver=2.4.5 format=raw kernel=4.4.0-87-generic auid=4294967295 pid=7428 subj=unconfined res=success
type=AVC msg=audit(1512030686.240:8756): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/tcpdump" pid=7464 comm="apparmor_parser"
type=SYSCALL msg=audit(1512030686.240:8756): arch=c000003e syscall=1 success=yes exit=26273 a0=5 a1=2717b20 a2=66a1 a3=0 items=0 ppid=7463 pid=7464 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=9 comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null)
type=PROCTITLE msg=audit(1512030686.240:8756): proctitle=apparmor_parser-r/etc/apparmor.d/usr.sbin.tcpdump

[How To Fix]
fix the aa-decode shell script.

--- utils/aa-decode 2013-01-01 14:15:04.000000000 -0500
+++ utils/aa-decode.new 2017-11-30 02:39:13.780000000 -0500
@@ -70,7 +70,7 @@ fi
 while read line ; do

     # check if line contains encoded name= or profile=
- if [[ "$line" =~ \ (name|profile)=[0-9a-fA-F] ]]; then
+ if [[ "$line" =~ \ (name|profile|proctitle)=[0-9a-fA-F] ]]; then

         # cut the encoded filename/profile name out of the line and decode it
         ne=`echo "$line" | sed 's/.* name=\([^ ]*\).*$/\\1/g'`
@@ -79,9 +79,13 @@ while read line ; do
         pe=`echo "$line" | sed 's/.* profile=\([^ ]*\).*$/\\1/g'`
         pd="$(decode ${pe/\'/\\\'})"

+ pce=`echo "$line" | sed 's/.* proctitle=\([^ ]*\).*$/\\1/g'`
+ pcd="$(decode ${pce/\'/\\\'})"
+
         # replace encoded name and profile with its decoded counterparts (only if it was encoded)
         test -n "$nd" && line="${line/name=$ne/name=\"$nd\"}"
         test -n "$pd" && line="${line/profile=$pe/profile=\"$pd\"}"
+ test -n "$pcd" && line="${line/proctitle=$pce/proctitle=\"$pcd\"}"

     fi

[Workaround]
if you can not decode the audit log, try to decode the single string.
# aa-decode 61707061726D6F725F706172736572002D72002F6574632F61707061726D6F722E642F7573722E7362696E2E74637064756D70
Decoded: apparmor_parser-r/etc/apparmor.d/usr.sbin.tcpdump

Seth Arnold (seth-arnold) wrote :

Nice! Thanks

Tyler Hicks (tyhicks) wrote :

This was released in apparmor 2.12. The upstream commit is 3afbfed9eef56d029a9a5890e5c463165530d509

Changed in apparmor:
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.12-4ubuntu1

---------------
apparmor (2.12-4ubuntu1) bionic; urgency=medium

  [ Tyler Hicks ]
  * Merge from Debian to get gbp-pq related packaging improvements. Thanks to
    intrigeri for making those improvements! Remaining Ubuntu changes:
    - debian/gbp.conf: Use ubuntu/master as the debian-branch
    - Update package maintainer to be Ubuntu Developers in the control file
    - Call handle_system_policy_package_updates in apparmor.init.
      This is needed for snappy and system-images. Note that this prevents
      using a remove /var.
    - Apply Ubuntu-specific patches
      + parser-include-usr-share-apparmor.patch
      + profiles-grant-access-to-systemd-resolved.patch
      + add-chromium-browser.patch
    - Install Ubuntu chromium-browser profile and abstraction
    - Feature pinning is not used in Ubuntu

  [ intrigeri ]
  * Adjust the Vcs-{Browser,Git} control fields to reflect the branch where
    the Ubuntu packaging is maintained.

apparmor (2.12-4) unstable; urgency=medium

  * Migrate patch handling to gbp-pq (Closes: #888244).
  * Merge 2.12-3ubuntu1 (dropping the Ubuntu delta):
    - upstream-commit-46f88f5-properly-identify-empty-ouid-fsuid-fields.patch:
      new patch, properly identify empty ouid/fsuid fields in logs.
    - upstream-commit-130958a-allow-shell-helper-read-locale.patch:
      new patch, allow the shell helper regression test program read
      the locale.

 -- Tyler Hicks <email address hidden> Mon, 19 Mar 2018 16:24:57 +0000

Changed in apparmor (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers