AppArmor

aa-decode can't decode the audit log which contains the proctitle string

Bug #1736841 reported by DaiQianwen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Undecided
Unassigned
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

[Description of Problem]
aa-decode can't decode the audit log which contains the proctitle string.
ubuntu kernel version: 4.4.0-87-generic
AppArmor tool version: 2.10.95

[How To Reproduce]
eg.
# apparmor_parser -r /etc/apparmor.d/usr.sbin.tcpdump
# cat /var/log/audit/audit.log
type=AVC msg=audit(1512030686.240:8756): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/tcpdump" pid=7464 comm="apparmor_parser"
type=SYSCALL msg=audit(1512030686.240:8756): arch=c000003e syscall=1 success=yes exit=26273 a0=5 a1=2717b20 a2=66a1 a3=0 items=0 ppid=7463 pid=7464 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=9 comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null)
type=PROCTITLE msg=audit(1512030686.240:8756): proctitle=61707061726D6F725F706172736572002D72002F6574632F61707061726D6F722E642F7573722E7362696E2E74637064756D70

# aa-decode 61707061726D6F725F706172736572002D72002F6574632F61707061726D6F722E642F7573722E7362696E2E74637064756D70
Decoded: apparmor_parser-r/etc/apparmor.d/usr.sbin.tcpdump

# cat /var/log/audit/audit.log | aa-decode
type=DAEMON_START msg=audit(1512030654.972:7242): auditd start, ver=2.4.5 format=raw kernel=4.4.0-87-generic auid=4294967295 pid=7428 subj=unconfined res=success
type=AVC msg=audit(1512030686.240:8756): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/tcpdump" pid=7464 comm="apparmor_parser"
type=SYSCALL msg=audit(1512030686.240:8756): arch=c000003e syscall=1 success=yes exit=26273 a0=5 a1=2717b20 a2=66a1 a3=0 items=0 ppid=7463 pid=7464 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=9 comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null)
type=PROCTITLE msg=audit(1512030686.240:8756): proctitle=61707061726D6F725F706172736572002D72002F6574632F61707061726D6F722E642F7573722E7362696E2E74637064756D70

[Actual Result]
aa-decode can decode a single string, but can not take an audit log on standard input and convert the hex-encoded string.

[Expected Result]
# cat /var/log/audit/audit.log | aa-decode
type=DAEMON_START msg=audit(1512030654.972:7242): auditd start, ver=2.4.5 format=raw kernel=4.4.0-87-generic auid=4294967295 pid=7428 subj=unconfined res=success
type=AVC msg=audit(1512030686.240:8756): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/tcpdump" pid=7464 comm="apparmor_parser"
type=SYSCALL msg=audit(1512030686.240:8756): arch=c000003e syscall=1 success=yes exit=26273 a0=5 a1=2717b20 a2=66a1 a3=0 items=0 ppid=7463 pid=7464 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=9 comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null)
type=PROCTITLE msg=audit(1512030686.240:8756): proctitle=apparmor_parser-r/etc/apparmor.d/usr.sbin.tcpdump

[How To Fix]
fix the aa-decode shell script.

--- utils/aa-decode 2013-01-01 14:15:04.000000000 -0500
+++ utils/aa-decode.new 2017-11-30 02:39:13.780000000 -0500
@@ -70,7 +70,7 @@ fi
 while read line ; do

     # check if line contains encoded name= or profile=
- if [[ "$line" =~ \ (name|profile)=[0-9a-fA-F] ]]; then
+ if [[ "$line" =~ \ (name|profile|proctitle)=[0-9a-fA-F] ]]; then

         # cut the encoded filename/profile name out of the line and decode it
         ne=`echo "$line" | sed 's/.* name=\([^ ]*\).*$/\\1/g'`
@@ -79,9 +79,13 @@ while read line ; do
         pe=`echo "$line" | sed 's/.* profile=\([^ ]*\).*$/\\1/g'`
         pd="$(decode ${pe/\'/\\\'})"

+ pce=`echo "$line" | sed 's/.* proctitle=\([^ ]*\).*$/\\1/g'`
+ pcd="$(decode ${pce/\'/\\\'})"
+
         # replace encoded name and profile with its decoded counterparts (only if it was encoded)
         test -n "$nd" && line="${line/name=$ne/name=\"$nd\"}"
         test -n "$pd" && line="${line/profile=$pe/profile=\"$pd\"}"
+ test -n "$pcd" && line="${line/proctitle=$pce/proctitle=\"$pcd\"}"

     fi

[Workaround]
if you can not decode the audit log, try to decode the single string.
# aa-decode 61707061726D6F725F706172736572002D72002F6574632F61707061726D6F722E642F7573722E7362696E2E74637064756D70
Decoded: apparmor_parser-r/etc/apparmor.d/usr.sbin.tcpdump

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Nice! Thanks

Revision history for this message
Tyler Hicks (tyhicks) wrote :

This was released in apparmor 2.12. The upstream commit is 3afbfed9eef56d029a9a5890e5c463165530d509

Changed in apparmor:
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.12-4ubuntu1

---------------
apparmor (2.12-4ubuntu1) bionic; urgency=medium

  [ Tyler Hicks ]
  * Merge from Debian to get gbp-pq related packaging improvements. Thanks to
    intrigeri for making those improvements! Remaining Ubuntu changes:
    - debian/gbp.conf: Use ubuntu/master as the debian-branch
    - Update package maintainer to be Ubuntu Developers in the control file
    - Call handle_system_policy_package_updates in apparmor.init.
      This is needed for snappy and system-images. Note that this prevents
      using a remove /var.
    - Apply Ubuntu-specific patches
      + parser-include-usr-share-apparmor.patch
      + profiles-grant-access-to-systemd-resolved.patch
      + add-chromium-browser.patch
    - Install Ubuntu chromium-browser profile and abstraction
    - Feature pinning is not used in Ubuntu

  [ intrigeri ]
  * Adjust the Vcs-{Browser,Git} control fields to reflect the branch where
    the Ubuntu packaging is maintained.

apparmor (2.12-4) unstable; urgency=medium

  * Migrate patch handling to gbp-pq (Closes: #888244).
  * Merge 2.12-3ubuntu1 (dropping the Ubuntu delta):
    - upstream-commit-46f88f5-properly-identify-empty-ouid-fsuid-fields.patch:
      new patch, properly identify empty ouid/fsuid fields in logs.
    - upstream-commit-130958a-allow-shell-helper-read-locale.patch:
      new patch, allow the shell helper regression test program read
      the locale.

 -- Tyler Hicks <email address hidden> Mon, 19 Mar 2018 16:24:57 +0000

Changed in apparmor (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.