aa-logprof doesn't support unix rules/events

Bug #1528778 reported by QkiZ
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
New
Undecided
Unassigned
apparmor (Ubuntu)
New
Wishlist
Unassigned

Bug Description

aa-logprof ignores denied messages in kern.log. Logs sended to apparmor [at] cboltz.de.

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: apparmor 2.10-0ubuntu6
ProcVersionSignature: Ubuntu 4.2.0-21.25-generic 4.2.6
Uname: Linux 4.2.0-21-generic x86_64
ApportVersion: 2.19.1-0ubuntu5
Architecture: amd64
Date: Wed Dec 23 09:22:44 2015
InstallationDate: Installed on 2014-04-19 (612 days ago)
InstallationMedia: Ubuntu-Server 14.04 LTS "Trusty Tahr" - Release amd64 (20140416.2)
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-4.2.0-21-generic root=/dev/mapper/ubuntu-root ro splash elevator=cfq nomdmonddf nomdmonisw crashkernel=384M-:128M
SourcePackage: apparmor
Syslog:

UpgradeStatus: Upgraded to wily on 2015-11-14 (38 days ago)

Revision history for this message
QkiZ (qkiz) wrote :
Revision history for this message
Christian Boltz (cboltz) wrote :

That's no a bug, it's a missing feature ;-) - aa-logprof doesn't have support for unix rules/events yet, so you'll need to allow this by manually adding rules.

Nevertheless, thanks for the log - having some example log lines is always helpful.

Dec 21 09:49:19 th1nkp4d kernel: [ 1807.331151] audit: type=1400 audit(1450687759.549:3582): apparmor="ALLOWED" operation="connect" profile="/usr/sbin/cupsd" pid=6049 comm="cupsd" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@2F746D702F65736574732E736F636B0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"

BTW: peer_addr decodes to

# aa-decode 2F746D702F65736574732E736F636B
Decoded: /tmp/esets.sock

(I wonder if the tons of 0000000 are intentional - John, can you clarify this, please?)

summary: - aa-logprof ignores denied messages
+ aa-logprof doesn't support unix rules/events
Revision history for this message
QkiZ (qkiz) wrote :

Yup, aa-logprof doesn't recognize unix rules and events. If I add manually this rules, after next aa-logprof running and answering questions, all added unix rules are deleted from profile files.

Revision history for this message
Christian Boltz (cboltz) wrote :

Loosing unix rules is already fixed in bzr (trunk r3310, 2.10 branch r3292, 2.9 branch r2981) since a week, see bug 1522938.

BTW: Given how many issues you find, maybe you should switch to bzr trunk? ;-)

tags: added: aa-tools
Revision history for this message
QkiZ (qkiz) wrote :

I will :)

Revision history for this message
Seth Arnold (seth-arnold) wrote :

The zeros are probably intentional; the name of abstract unix sockets allows ascii NULs, and they may or may not be relevant based on the address length as reported in the C APIs. It's a terrible interface all around.. (and now that I just now realize that a unix socket with name @00...00 len=2 is different from unix socket with name @00...00 len=4 I wonder what breaks if these two are actually used somewhere. Hmm.)

Revision history for this message
Christian Boltz (cboltz) wrote :

Well, maybe things are even more interesting:
- the log message doesn't specify the len, so a socket name ending with \0 _will_ cause trouble
- for some reason, the log line above gets parsed as AA_RECORD_INVALID:

START
File: testcase_syslog_unix_01.in
Event type: AA_RECORD_INVALID
Audit ID: 1450687759.549:3582
Operation: connect
Mask: send receive connect
Denied Mask: send connect
Profile: /usr/sbin/cupsd
Command: cupsd
PID: 6049
Network family: unix
Socket type: stream
Protocol: ip
Epoch: 1450687759
Audit subid: 3582

- the peer address isn't included in the parsed log - but that might be a side effect and/or reason for AA_RECORD_INVALID

Mathew Hodson (mhodson)
Changed in apparmor (Ubuntu):
importance: Undecided → Wishlist
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.