AppArmor

aa-genprof/logprof don't recognize encoded profile names

Bug #897957 reported by John Johansen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Low
Unassigned

Bug Description

When a profile name contains spaces or none printable characters, it gets encoded when logged.

eg.
[289763.843292] type=1400 audit(1322614912.304:857): apparmor="ALLOWED" operation="getattr" parent=16001 profile=74657374207370616365 name="/lib/x86_64-linux-gnu/libdl-2.13.so" pid=17011 comm="bash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

which can be decoded with aa-decode
  > aa-decode 74657374207370616365
  Decoded: test space

however aa-logprof and aa-genprof do no recognize encoded profile names and skip log entries containing them.

Tags: aa-tools
Revision history for this message
John Johansen (jjohansen) wrote :

More example entries

Nov 29 17:01:52 ortho kernel: [289763.841084] type=1400 audit(1322614912.304:851): apparmor="ALLOWED" operation="open" parent=16001 profile=74657374207370616365 name="/etc/ld.so.cache" pid=17011 comm="bash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Nov 29 17:01:52 ortho kernel: [289763.842579] type=1400 audit(1322614912.304:855): apparmor="ALLOWED" operation="file_mmap" parent=16001 profile=74657374207370616365 name="/lib/libncurses.so.5.9" pid=17011 comm="bash" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0

Nov 29 17:01:58 ortho kernel: [289769.829897] type=1400 audit(1322614918.292:4376): apparmor="ALLOWED" operation="file_perm" parent=16001 profile=74657374207370616365 name="/home/jj/.bash_history" pid=17011 comm="bash" requested_mask="w" denied_mask="w" fsuid=0 ouid=1000

Nov 29 17:01:58 ortho kernel: [289769.830284] type=1400 audit(1322614918.292:4380): apparmor="ALLOWED" operation="truncate" parent=16001 profile=74657374207370616365 name="/home/jj/.bash_history" pid=17011 comm="bash" requested_mask="w" den

Jamie Strandboge (jdstrand)
Changed in apparmor:
status: New → Triaged
importance: Undecided → Medium
Jamie Strandboge (jdstrand)
tags: added: aa-tools
Jamie Strandboge (jdstrand)
Changed in apparmor:
importance: Medium → Low
Revision history for this message
Christian Boltz (cboltz) wrote :

John, can you please re-test with the latest python tools?

I'd expect libapparmor parse_record() to decode the profile name, and would guess that the problem were "just" the quotes or an attachment specification in the "test space" profile name. Both are fixed in the meantime.

Revision history for this message
Christian Boltz (cboltz) wrote :

I just tested myself - the python tools ask to add some permissions to the "test space" profile.

That's not too surprising because they use libapparmor for log parsing. This also means this bug was probably fixed in 2.9.

Changed in apparmor:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.