aa-decode can't decode the audit log which contains the proctitle string
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
Undecided
|
Unassigned | ||
apparmor (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Description of Problem]
aa-decode can't decode the audit log which contains the proctitle string.
ubuntu kernel version: 4.4.0-87-generic
AppArmor tool version: 2.10.95
[How To Reproduce]
eg.
# apparmor_parser -r /etc/apparmor.
# cat /var/log/
type=AVC msg=audit(
type=SYSCALL msg=audit(
type=PROCTITLE msg=audit(
# aa-decode 61707061726D6F7
Decoded: apparmor_
# cat /var/log/
type=DAEMON_START msg=audit(
type=AVC msg=audit(
type=SYSCALL msg=audit(
type=PROCTITLE msg=audit(
[Actual Result]
aa-decode can decode a single string, but can not take an audit log on standard input and convert the hex-encoded string.
[Expected Result]
# cat /var/log/
type=DAEMON_START msg=audit(
type=AVC msg=audit(
type=SYSCALL msg=audit(
type=PROCTITLE msg=audit(
[How To Fix]
fix the aa-decode shell script.
--- utils/aa-decode 2013-01-01 14:15:04.000000000 -0500
+++ utils/aa-decode.new 2017-11-30 02:39:13.780000000 -0500
@@ -70,7 +70,7 @@ fi
while read line ; do
# check if line contains encoded name= or profile=
- if [[ "$line" =~ \ (name|profile)
+ if [[ "$line" =~ \ (name|profile|
# cut the encoded filename/profile name out of the line and decode it
ne=`echo "$line" | sed 's/.* name=\([^ ]*\).*$/\\1/g'`
@@ -79,9 +79,13 @@ while read line ; do
pe=`echo "$line" | sed 's/.* profile=\([^ ]*\).*$/\\1/g'`
+ pce=`echo "$line" | sed 's/.* proctitle=\([^ ]*\).*$/\\1/g'`
+ pcd="$(decode ${pce/\'/\\\'})"
+
# replace encoded name and profile with its decoded counterparts (only if it was encoded)
test -n "$nd" && line="$
test -n "$pd" && line="$
+ test -n "$pcd" && line="$
fi
[Workaround]
if you can not decode the audit log, try to decode the single string.
# aa-decode 61707061726D6F7
Decoded: apparmor_
Nice! Thanks