aa-logprof drops exec denials

Bug #872446 reported by Jamie Strandboge on 2011-10-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
High
Steve Beattie
Precise
High
Steve Beattie

Bug Description

aa-logprof works great for profiles that are in complain mode only. It will not pickup denials that are from an enforcing mode profile however, which reduces its utility. This is confirmed on Ubuntu 10.10 (apparmor 2.5.1), Ubuntu 11.04 (apparmor 2.6.1) and Ubuntu 11.10 (apparmor 2.70~beta1).

Changed in apparmor (Ubuntu):
importance: Undecided → Wishlist
status: New → Triaged
John Johansen (jjohansen) wrote :

This is a regression. aa-logprof has in the past worked fine with denials

Changed in apparmor (Ubuntu):
importance: Wishlist → High
tags: added: rls-mgr-p-tracking
Changed in apparmor (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Changed in apparmor (Ubuntu Precise):
milestone: none → precise-alpha-2
tags: added: rls-p-tracking
removed: rls-mgr-p-tracking
Changed in apparmor (Ubuntu Precise):
assignee: Ubuntu Security Team (ubuntu-security) → Steve Beattie (sbeattie)
Changed in apparmor (Ubuntu Precise):
milestone: precise-alpha-2 → ubuntu-12.04-beta-1
tags: added: rls-mgr-p-tracking
Changed in apparmor (Ubuntu Precise):
milestone: ubuntu-12.04-beta-1 → ubuntu-12.04-beta-2
Changed in apparmor (Ubuntu Precise):
milestone: ubuntu-12.04-beta-2 → ubuntu-12.04
Steve Beattie (sbeattie) wrote :

Jamie, can you describe how you hit this, as I'm unable to reproduce it. In the example below auditd is not running:

$ cat tmp/my.sh
#!/bin/sh

cat "$@" > /dev/null

$ cat /etc/apparmor.d/home.ubuntu.tmp.my.sh
# Last Modified: Mon Mar 26 10:59:48 2012
#include <tunables/global>

/home/ubuntu/tmp/my.sh {
  #include <abstractions/base>

  /bin/cat rix,
  /bin/dash ix,
  /home/ubuntu/tmp/my.sh r,
}

$ sudo aa-status | grep my.sh
   /home/ubuntu/tmp/my.sh
   /home/ubuntu/tmp/my.sh//null-f

$ tmp/my.sh /etc/fstab
cat: /etc/fstab: Permission denied

$ sudo aa-logprof
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Enforce-mode changes:

Profile: /home/ubuntu/tmp/my.sh
Path: /etc/fstab
Mode: r
Severity: 3

  1 - #include <abstractions/evince>
 [2 - /etc/fstab]

(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /etc/fstab r to profile.

Profile: /home/ubuntu/tmp/my.sh
Path: /etc/resolv.conf
Mode: r
Severity: 2

  1 - #include <abstractions/nameservice>
 [2 - /etc/resolv.conf]

(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts

Profile: /home/ubuntu/tmp/my.sh
Path: /etc/resolv.conf
Mode: r
Severity: 2

  1 - #include <abstractions/nameservice>
 [2 - /etc/resolv.conf]

(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /etc/resolv.conf r to profile.

= Changed Local Profiles =

The following local profiles were changed. Would you like to save them?

 [1 - /home/ubuntu/tmp/my.sh]

(S)ave Changes / [(V)iew Changes] / Abo(r)t

= Changed Local Profiles =

The following local profiles were changed. Would you like to save them?

 [1 - /home/ubuntu/tmp/my.sh]

(S)ave Changes / [(V)iew Changes] / Abo(r)t
Writing updated profile for /home/ubuntu/tmp/my.sh.

$ cat /etc/apparmor.d/home.ubuntu.tmp.my.sh
# Last Modified: Mon Mar 26 11:04:45 2012
#include <tunables/global>

/home/ubuntu/tmp/my.sh {
  #include <abstractions/base>

  /bin/cat rix,
  /bin/dash ix,
  /etc/fstab r,
  /etc/resolv.conf r,
  /home/ubuntu/tmp/my.sh r,

}

(note that resolv.conf access rejection was from a prior run of my.sh)

Steve Beattie (sbeattie) on 2012-03-26
Changed in apparmor (Ubuntu Precise):
status: Triaged → In Progress
status: In Progress → Incomplete
Jamie Strandboge (jdstrand) wrote :

1. Create /tmp/foo.sh:
#!/bin/sh
cat /etc/fstab
grep root /etc/passwd

2. chmod 755 /tmp/foo.sh

3. sudo aa-genprof /tmp/foo.sh
Writing updated profile for /tmp/foo.sh.
Setting /tmp/foo.sh to complain mode.
...
[(S)can system log for AppArmor events] / (F)inish

(press 'f' (ie, don't run /tmp/foo.sh in another terminal or anything)
Reloaded AppArmor profiles in enforce mode.
...
Finished generating profile for /tmp/foo.sh.

4. verify it is loaded
$ sudo aa-status|grep foo
   /tmp/foo.sh

5. run the script:
$ /tmp/foo.sh
/bin/sh: Can't open /tmp/foo.sh

6. run aa-logprof
$ sudo aa-logprof
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Enforce-mode changes:

Profile: /tmp/foo1.sh
Path: /tmp/foo1.sh
Mode: r
Severity: unknown

 [1 - /tmp/foo1.sh]
(press 'a')

= Changed Local Profiles =

The following local profiles were changed. Would you like to save them?

 [1 - /tmp/foo1.sh]

(S)ave Changes / [(V)iew Changes] / Abo(r)t
(press 's')
Writing updated profile for /tmp/foo1.sh.

8. Verify the profile was updated:
$ $ cat /etc/apparmor.d/tmp.foo1.sh
# Last Modified: Mon Mar 26 13:40:50 2012
#include <tunables/global>

/tmp/foo.sh {
  #include <abstractions/base>

  /bin/dash ix,
  /tmp/foo.sh r,

}

9. Run the script:
$ /tmp/foo1.sh
/tmp/foo1.sh: 2: cat: Permission denied
/tmp/foo1.sh: 3: grep: Permission denied

10. run aa-logprof:
$ sudo aa-logprof
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.

(notice I wasn't prompted).

11. Run the script:
$ /tmp/foo1.sh
/tmp/foo1.sh: 2: cat: Permission denied
/tmp/foo1.sh: 3: grep: Permission denied

I'm not sure what this is as I did see it work a couple of time. I think this might be a timestamp checking issue. If I went slowly between running aa-genprof and aa-logprof it would work. If I went more quickly, it would not. This is not a result of kernel rate limiting, because I have entries in dmesg for the cat and grep denials.

Changed in apparmor (Ubuntu Precise):
status: Incomplete → New
Steve Beattie (sbeattie) wrote :

So the issue here is that, due to logprof not taking into account some logging changes, it was dropping 'exec' events that occurred when the profile in question was in enforcing mode; it would catch it if it was in complain mode (because of the generated null profile on exec in complain mode). I've sent a patch for review to the upstream mailing list: https://lists.ubuntu.com/archives/apparmor/2012-March/002519.html .

However, with just that patch applied, I get a couple of perl warnings that patch 3/4 in that series addresses.

Changed in apparmor (Ubuntu Precise):
status: New → In Progress
Steve Beattie (sbeattie) on 2012-03-27
summary: - aa-logprof should detect denials as well as complaints
+ aa-logprof dropes exec denials
summary: - aa-logprof dropes exec denials
+ aa-logprof drops exec denials
Changed in apparmor (Ubuntu Precise):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.7.102-0ubuntu3

---------------
apparmor (2.7.102-0ubuntu3) precise; urgency=low

  [ Jamie Strandboge ]
  * debian/patches/0007-ubuntu-manpage-updates.patch: update apparmor(5)
    to describe Ubuntu's two-stage policy load and how to add utilize it
    when developing policy (LP: #974089)

  [ Serge Hallyn ]
  * debian/apparmor.init: do nothing in a container. This can be
    removed once stacked profiles are supported and used by lxc.
    (LP: #978297)

  [ Steve Beattie ]
  * debian/patches/0008-apparmor-lp963756.patch: Fix permission mapping
    for change_profile onexec (LP: #963756)
  * debian/patches/0009-apparmor-lp959560-part1.patch,
    debian/patches/0010-apparmor-lp959560-part2.patch: Update the parser
    to support the 'in' keyword for value lists, and make mount
    operations aware of 'in' keyword so they can affect the flags build
    list (LP: #959560)
  * debian/patches/0011-apparmor-lp872446.patch: fix logprof missing
    exec events in complain mode (LP: #872446)
  * debian/patches/0012-apparmor-lp978584.patch: allow inet6 access in
    dovecot imap-login profile (LP: #978584)
  * debian/patches/0013-apparmor-lp800826.patch: fix libapparmor
    log parsing library from dropping apparmor network events that
    contain ip addresses or ports in them (LP: #800826)
  * debian/patches/0014-apparmor-lp979095.patch: document new mount rule
    syntax and usage in apparmor.d(5) manpage (LP: #979095)
  * debian/patches/0015-apparmor-lp963756.patch: Fix change_onexec
    for profiles without attachment specification (LP: #963756,
    LP: #978038)
  * debian/patches/0016-apparmor-lp968956.patch: Fix protocol error when
    loading policy to kernels without compat patches (LP: #968956)
  * debian/patches/0017-apparmor-lp979135.patch: Fix change_profile to
    grant access to /proc/attr api (LP: #979135)
 -- Steve Beattie <email address hidden> Thu, 12 Apr 2012 06:17:42 -0500

Changed in apparmor (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers