aa-notify doesn't display certain apparmor events

Bug #800826 reported by Marc Deslauriers on 2011-06-22
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
AppArmor
High
Steve Beattie
apparmor (Ubuntu)
High
Steve Beattie
Precise
High
Steve Beattie

Bug Description

This works properly:
[153157.745909] type=1400 audit(1308767024.828:3705): apparmor="DENIED" operation="open" parent=24000 profile="/usr/lib/firefox-5.0/firefox{,*[^s][^h]}" name="/opt/server/photos/100_0243.JPG" pid=24791 comm="plugin-containe" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

This doesn't get displayed at all:
[153073.826757] type=1400 audit(1308766940.698:3704): apparmor="DENIED" operation="sendmsg" parent=24737 profile="/usr/bin/evince-thumbnailer" pid=24743 comm="evince-thumbnai" laddr=192.168.66.150 lport=765 faddr=192.168.66.200 fport=2049 family="inet" sock_type="stream" protocol=6

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: apparmor-notify 2.6.1-0ubuntu3
ProcVersionSignature: Ubuntu 2.6.38-10.44-generic 2.6.38.7
Uname: Linux 2.6.38-10-generic x86_64
Architecture: amd64
Date: Wed Jun 22 14:30:37 2011
InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Alpha amd64 (20110302)
PackageArchitecture: all
ProcEnviron:
 LANGUAGE=en_CA:en
 PATH=(custom, user)
 LANG=en_CA.UTF-8
 SHELL=/bin/bash
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-2.6.38-10-generic root=UUID=66b32bb3-1e18-436e-8f6e-62b8419ed48d ro quiet splash vt.handoff=7
ProcVersionSignature_: Ubuntu 2.6.38-10.44-generic 2.6.38.7
SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install)

Marc Deslauriers (mdeslaur) wrote :
tags: added: apparmor
Jamie Strandboge (jdstrand) wrote :

This seems to be a problem with the bindings. Attached is a minimal reproducer:
$ perl /tmp/800826.pl
== path denial ==
Audit ID: 1308767024.828:3705
PID: 24791
Epoch: 1308767024
Operation: open
Denied mask: r
Name: /opt/server/photos/100_0243.JPG

== net denial ==
Audit ID: 1308766940.698:3704
PID: 24743
Epoch: 1308766940
Operation: sendmsg
Use of uninitialized value in concatenation (.) or string at /tmp/800826.pl line 27.
Denied mask:
Use of uninitialized value in concatenation (.) or string at /tmp/800826.pl line 29.
Family:
Use of uninitialized value in concatenation (.) or string at /tmp/800826.pl line 30.
Sock:

Notice that while the 'path' test is fine, the 'net' test doesn't seem to be working right. These tests are based on what aa-notify does.

Changed in apparmor (Ubuntu):
importance: Undecided → High
status: New → Confirmed
Jamie Strandboge (jdstrand) wrote :
Changed in apparmor:
status: New → Confirmed
importance: Undecided → High
Steve Beattie (sbeattie) on 2011-06-22
Changed in apparmor:
assignee: nobody → Steve Beattie (sbeattie)
tags: added: rls-p-tracking
Changed in apparmor (Ubuntu Precise):
milestone: none → precise-alpha-2
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Changed in apparmor (Ubuntu Precise):
assignee: Ubuntu Security Team (ubuntu-security) → Steve Beattie (sbeattie)
Changed in apparmor (Ubuntu Precise):
milestone: precise-alpha-2 → ubuntu-12.04-beta-1
tags: added: rls-mgr-p-tracking
Changed in apparmor (Ubuntu Precise):
milestone: ubuntu-12.04-beta-1 → ubuntu-12.04-beta-2
Changed in apparmor (Ubuntu Precise):
milestone: ubuntu-12.04-beta-2 → ubuntu-12.04
Steve Beattie (sbeattie) wrote :

The issue here is that the logging messages related to networking had the ip addresses and ports added to them, but the log parsing library has not been updated to take them into account. I'm working on a patch for this.

Changed in apparmor (Ubuntu Precise):
status: Confirmed → In Progress
Christian Boltz (cboltz) wrote :
Changed in apparmor (Ubuntu Precise):
status: In Progress → Fix Committed
Changed in apparmor:
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.7.102-0ubuntu3

---------------
apparmor (2.7.102-0ubuntu3) precise; urgency=low

  [ Jamie Strandboge ]
  * debian/patches/0007-ubuntu-manpage-updates.patch: update apparmor(5)
    to describe Ubuntu's two-stage policy load and how to add utilize it
    when developing policy (LP: #974089)

  [ Serge Hallyn ]
  * debian/apparmor.init: do nothing in a container. This can be
    removed once stacked profiles are supported and used by lxc.
    (LP: #978297)

  [ Steve Beattie ]
  * debian/patches/0008-apparmor-lp963756.patch: Fix permission mapping
    for change_profile onexec (LP: #963756)
  * debian/patches/0009-apparmor-lp959560-part1.patch,
    debian/patches/0010-apparmor-lp959560-part2.patch: Update the parser
    to support the 'in' keyword for value lists, and make mount
    operations aware of 'in' keyword so they can affect the flags build
    list (LP: #959560)
  * debian/patches/0011-apparmor-lp872446.patch: fix logprof missing
    exec events in complain mode (LP: #872446)
  * debian/patches/0012-apparmor-lp978584.patch: allow inet6 access in
    dovecot imap-login profile (LP: #978584)
  * debian/patches/0013-apparmor-lp800826.patch: fix libapparmor
    log parsing library from dropping apparmor network events that
    contain ip addresses or ports in them (LP: #800826)
  * debian/patches/0014-apparmor-lp979095.patch: document new mount rule
    syntax and usage in apparmor.d(5) manpage (LP: #979095)
  * debian/patches/0015-apparmor-lp963756.patch: Fix change_onexec
    for profiles without attachment specification (LP: #963756,
    LP: #978038)
  * debian/patches/0016-apparmor-lp968956.patch: Fix protocol error when
    loading policy to kernels without compat patches (LP: #968956)
  * debian/patches/0017-apparmor-lp979135.patch: Fix change_profile to
    grant access to /proc/attr api (LP: #979135)
 -- Steve Beattie <email address hidden> Thu, 12 Apr 2012 06:17:42 -0500

Changed in apparmor (Ubuntu Precise):
status: Fix Committed → Fix Released
Steve Beattie (sbeattie) on 2012-04-27
Changed in apparmor:
milestone: none → 2.8.0
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.