aa-genprof creates empty profiles from /var/log/messages entries (works fine with auditd)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Hardy |
Invalid
|
Undecided
|
Unassigned | ||
Intrepid |
Won't Fix
|
High
|
Steve Beattie | ||
Jaunty |
Fix Released
|
High
|
Unassigned |
Bug Description
Jaunty Beta Freeze Exception Request: please see comment https:/
Binary package hint: apparmor
Hello,
I'd say the bug report I'm opening is a duplicate of #294600, however Steve Beattie
said #294600 was a dup of #271252 which deals with a completely different case.
Not sure whether I should really open it as a new bug but here it is anyway.
aa-genprof generates an empty profile when it reads audit messages from
/var/log/messages. It works fine, i.e. produces a non-empty profile when auditd
is installed.
Take a look at apparmor_
aa-genprof asks no questions at all, it directly jumps to generating a new profile.
After installing auditd it's a completely different situation, here aa-genprof has noticed
there were some audit events generated and starts asking the questions.
The first lines of both attachments are the sample log entries, they're
different on the first two columns.
It's
type=1502 audit(123663275
and
type=APPARMOR_
I'm not sure why they're different but aa-genprof apparently chokes on the
former while having no problems with the latter.
It's auditd 1.7.4-1 and apparmor 1289-0ubuntu4.1 as reported by dpkg -l.
I'd like to investigate it further however I'm not sure what to take a look next?
Can you please guide me a bit here?
PS. By an empty profile I mean something like this
#include <tunables/global>
/home/dsuch/
#include <abstractions/base>
}
Changed in apparmor: | |
importance: | Undecided → High |
tags: |
added: regression-release removed: regression-potential |
Changed in apparmor (Ubuntu Intrepid): | |
status: | Confirmed → Won't Fix |
I can confirm that aa-genprof is not working right.
TEST CASE:
1. create $HOME/foobar.sh:
2. sudo aa-genprof.sh $HOME/foobar.sh
3. in another window, run $HOME/foobar.sh
4. in the aa-genprof window, do (S)can -- it does not prompt. Tried (S)can again, still no prompt.
Here are the logs: 9.608:368) : operation= "profile_ load" name="/ home/jamie/ foobar. sh" name2="default" pid=13649 7.169:369) : operation= "inode_ permission" requested_ mask=": :r" denied_mask="::r" fsuid=1000 name="/bin/dash" pid=13726 profile= "/home/ jamie/foobar. sh" 7.169:370) : operation= "file_mmap" requested_ mask=": :mr" denied_mask="::r" fsuid=1000 name="/bin/dash" pid=13726 profile= "/home/ jamie/foobar. sh" 7.169:371) : operation= "file_mmap" requested_ mask=": :r" denied_mask="::r" fsuid=1000 name="/bin/dash" pid=13726 profile= "/home/ jamie/foobar. sh" 7.172:372) : operation= "file_mprotect" requested_ mask=": :r" denied_mask="::r" fsuid=1000 name="/bin/dash" pid=13726 profile= "/home/ jamie/foobar. sh" 7.172:373) : operation= "inode_ permission" requested_ mask="r: :" denied_mask="r::" fsuid=1000 name="/ home/jamie/ foobar. sh" pid=13726 profile= "/home/ jamie/foobar. sh" 7.172:374) : operation= "inode_ permission" requested_ mask=": :x" denied_mask="::x" fsuid=1000 name="/bin/ls" pid=13727 profile= "/home/ jamie/foobar. sh" 7.172:375) : operation="exec" info="set profile" pid=13727 profile= "null-complain- profile" 7.172:376) : operation= "file_permissio n" requested_ mask=": :r" denied_mask="::r" fsuid=1000 name="/bin/ls" pid=13727 profile= "null-complain- profile" 7.172:377) : operation= "file_permissio n" requested_ mask=": :r" denied_mask="::r" fsuid=1000 name="/bin/ls" pid=13727 profile= "null-complain- profile" 8.332:1771) : operation= "profile_ replace" name="/ home/jamie/ foobar. sh" name2="default" pid=13870
Mar 11 07:32:59 myhost kernel: [50805.318822] type=1505 audit(123677477
Mar 11 07:33:07 myhost kernel: [50812.879558] type=1502 audit(123677478
Mar 11 07:33:07 myhost kernel: [50812.879589] type=1502 audit(123677478
Mar 11 07:33:07 myhost kernel: [50812.879606] type=1502 audit(123677478
Mar 11 07:33:07 myhost kernel: [50812.880123] type=1502 audit(123677478
Mar 11 07:33:07 myhost kernel: [50812.880417] type=1502 audit(123677478
Mar 11 07:33:07 myhost kernel: [50812.880817] type=1502 audit(123677478
Mar 11 07:33:07 myhost kernel: [50812.880842] type=1504 audit(123677478
Mar 11 07:33:07 myhost kernel: [50812.880853] type=1502 audit(123677478
Mar 11 07:33:07 myhost kernel: [50812.880906] type=1502 audit(123677478
Mar 11 07:33:18 myhost kernel: [50824.044090] __ratelimit: 4179 callbacks suppressed
Mar 11 07:33:18 myhost kernel: [50824.044094] type=1505 audit(123677479
Here is the generated profile:
# Last Modified: Wed Mar 11 07:32:59 2009
#include <tunables/global>
/home/jamie/ foobar. sh {
#include <abstractions/base>
/bin/dash ix,
}