14.04 kernel does not log exec properly and aa-logprof fails

Bug #1545776 reported by Peter Maloney
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
AppArmor
New
Undecided
Unassigned
apparmor (Ubuntu)
Confirmed
Undecided
Unassigned
linux (Ubuntu)
Confirmed
Medium
Unassigned

Bug Description

Ubuntu 14.04's kernel (tested 3.13.0-32-generic) does not log exec properly in audit.log when in complain mode, so aa-logprof will not work.

Here is test.bash
-------------
#!/bin/bash

echo "hi"
ls /tmp
find /tmp
-------------

Here is /etc/apparmor.d/root.tmp.test.bash (which was created with aa-genprof and edited with aa-logprof):
-------------
# Last Modified: Mon Feb 15 16:05:05 2016
#include <tunables/global>

/root/tmp/test.bash flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/user-tmp>

  /bin/ls r,
  /proc/filesystems r,
  /proc/meminfo r,
  /root/tmp/ r,
  /root/tmp/test.bash r,
  /tmp/** rwlk,
  /usr/bin/find r,

}
-------------

Here are the results in audit.log with a stock kernel, and a vanilla+grsecurity 4.3.5 kernel:

# uname -a
Linux apparmortest 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

enforce mode:
-------------
type=AVC msg=audit(1455548893.569:18246): apparmor="DENIED" operation="exec" profile="/root/tmp/test.bash" name="/bin/ls" pid=9767 comm="test.bash" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
type=SYSCALL msg=audit(1455548893.569:18246): arch=c000003e syscall=59 success=no exit=-13 a0=8c1d88 a1=8c1988 a2=8c2c08 a3=7fffd820cac0 items=0 ppid=9766 pid=9767 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="test.bash" exe="/bin/bash" key=(null)
type=AVC msg=audit(1455548893.573:18247): apparmor="DENIED" operation="exec" profile="/root/tmp/test.bash" name="/usr/bin/find" pid=9768 comm="test.bash" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
type=SYSCALL msg=audit(1455548893.573:18247): arch=c000003e syscall=59 success=no exit=-13 a0=8c2908 a1=8c1988 a2=8c2c08 a3=7fffd820cac0 items=0 ppid=9766 pid=9768 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="test.bash" exe="/bin/bash" key=(null)
[this is full output]
-------------

complain mode:
-------------
type=AVC msg=audit(1455548922.473:18249): apparmor="ALLOWED" operation="exec" profile="/root/tmp/test.bash" pid=9772 comm="test.bash" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/root/tmp/test.bash//null-53"
type=SYSCALL msg=audit(1455548922.473:18249): arch=c000003e syscall=59 success=yes exit=0 a0=10c6d88 a1=10c6988 a2=10c7c08 a3=7fff57ced540 items=0 ppid=9771 pid=9772 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="ls" exe="/bin/ls" key=(null)
[... much longer...]]
-------------

# uname -a
Linux apparmortest 4.3.5-grsec+ #1 SMP Fri Feb 12 18:53:52 CET 2016 x86_64 x86_64 x86_64 GNU/Linux

enforce
-------------
type=AVC msg=audit(1455549782.598:50): apparmor="DENIED" operation="exec" profile="/root/tmp/test.bash" name="/bin/ls" pid=1710 comm="test.bash" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
type=SYSCALL msg=audit(1455549782.598:50): arch=c000003e syscall=59 success=no exit=-13 a0=d9eb88 a1=d9cf08 a2=d9dc08 a3=79f56cef8bd0 items=0 ppid=1709 pid=1710 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=2 comm="test.bash" exe="/bin/bash" key=(null)
type=UNKNOWN[1327] msg=audit(1455549782.598:50): proctitle=2F62696E2F62617368002E2F746573742E62617368
type=AVC msg=audit(1455549782.598:51): apparmor="DENIED" operation="exec" profile="/root/tmp/test.bash" name="/usr/bin/find" pid=1711 comm="test.bash" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
type=SYSCALL msg=audit(1455549782.598:51): arch=c000003e syscall=59 success=no exit=-13 a0=d9ee88 a1=d9cf08 a2=d9dc08 a3=79f56cef8bd0 items=0 ppid=1709 pid=1711 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=2 comm="test.bash" exe="/bin/bash" key=(null)
type=UNKNOWN[1327] msg=audit(1455549782.598:51): proctitle=2F62696E2F62617368002E2F746573742E62617368
-------------

complain
-------------
type=AVC msg=audit(1455549804.810:57): apparmor="ALLOWED" operation="exec" profile="/root/tmp/test.bash" name="/bin/ls" pid=1750 comm="test.bash" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/root/tmp/test.bash//null-1"
type=SYSCALL msg=audit(1455549804.810:57): arch=c000003e syscall=59 success=yes exit=0 a0=20ddd08 a1=20dcb88 a2=20dcc08 a3=76f9147845e0 items=0 ppid=1749 pid=1750 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=2 comm="ls" exe="/bin/ls" key=(null)
-------------

Notice that the name="/bin/ls" is in the enforce mode log for both kernels, and in the complain mode log for kernel 4.3.5. It is missing from the complain mode kernel 3.13.

And another problem I found while failing to reproduce the above problem. This was with a profile made with aa-genprof on the bash executable (copied to ~/tmp/), without any more rules added. I could not reproduce this problem with the grsec kernel, so I'll just report them together.

-------------
# aa-logprof
Reading log entries from /var/log/audit/audit.log.
Updating AppArmor profiles in /etc/apparmor.d.
Traceback (most recent call last):
File "/usr/sbin/aa-logprof", line 54, in <module>
    apparmor.do_logprof_pass(logmark)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2280, in do_logprof_pass
    log = log_reader.read_log(logmark)
File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 353, in read_log
    self.add_event_to_tree(event)
File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 261, in add_event_to_tree
    raise AppArmorException(_('Log contains unknown mode %s') % rmask)
apparmor.common.AppArmorException: 'Log contains unknown mode '
-------------

the problem line (requested_mask and denied_mask are blank):
-------------
type=AVC msg=audit(1455544394.446:262): apparmor="ALLOWED" operation="open" profile="/root/tmp/bash" name="/root/.bash_history" pid=8675 comm="bash" requested_mask="" denied_mask="" fsuid=0 ouid=0
-------------

Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1545776

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: trusty
Revision history for this message
Peter Maloney (peter-maloney) wrote :

# apport-collect 1545776
ERROR: You need to use apport-collect for updating an existing bug

Seems highly broken.

And apport-bug refused to work too, except running on the other kernel. And it collects too much info. So I deleted lots of it; see it attached.

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Peter Maloney (peter-maloney) wrote :

btw, not sure why I was using 3.13.0-32 before... I also tested it with the latest, with same result

# uname -a
Linux apparmortest 3.13.0-77-generic #121-Ubuntu SMP Wed Jan 20 10:50:42 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

# tail -f /var/log/audit.log
[...]
type=AVC msg=audit(1455628235.420:56): apparmor="ALLOWED" operation="exec" profile="/root/tmp/test.bash" pid=1692 comm="test.bash" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/root/tmp/test.bash//null-1"
[...]

Revision history for this message
Christian Boltz (cboltz) wrote :

The aa-logprof crash with empty denied_mask is already fixed in bzr, see bug 1525119

tags: added: aa-kernel apparmor
removed: apparmo
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Changed in linux (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Me (wmsopou) wrote :

On Ubuntu 15.10 (4.2.0-16-generic) aa-genprof creates a similarly broken profile.

On Ubuntu 16.04 beta 2 (4.4.0-15-generic) the "name" field is now present in syslog when operation="exec" and aa-genprof gives /usr/bin/find cx permission and creates a child profile. Running the profile in enforce mode is successful.

Any chance whatever was done to fix it in the kernel can be backported to 14.04 and 12.04 since most users will probably be stuck with those versions for a long time to come?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.