Ohh it's just ascii in hex, my bad, it's been a long week :) > On 28 Jul 2016, at 17:54, John Johansen <[email protected]> wrote: > >> On 07/28/2016 06:19 AM, Mark Wadham wrote: >> I tried to write an apparmor profile for plex media server, which has a >> binary with spaces in the name. >> >> I put it in quotes in the apparmor profile, but then all the complain >> messages have hashes where the name should be, eg: >> >>> [ 9551.412776] audit: type=1400 audit(1469711661.099:16933): >>> apparmor="ALLOWED" operation="recvmsg" >>> profile=2F7573722F6C69622F706C65786D656469617365727665722F506C6578204D65646961205365727665722F2F6E756C6C2D2F7573722F6C69622F706C65786D656469617365727665722F506C657820444C4E4120536572766572 >>> pid=25858 comm=506C657820444C4E41205365727665 lport=1900 family="inet" >>> sock_type="dgram" protocol=17 requested_mask="receive" denied_mask="receive" >>> [ 9551.418972] audit: type=1400 audit(1469711661.107:16934): >>> apparmor="ALLOWED" operation="create" >>> profile=2F7573722F6C69622F706C65786D656469617365727665722F506C6578204D65646961205365727665722F2F6E756C6C2D2F7573722F6C69622F706C65786D656469617365727665722F506C657820444C4E4120536572766572 >>> pid=25983 comm=506C657820444C4E41205365727665 family="inet" >>> sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create" >>> [ 9551.419247] audit: type=1400 audit(1469711661.107:16935): >>> apparmor="ALLOWED" operation="create" >>> profile=2F7573722F6C69622F706C65786D656469617365727665722F506C6578204D65646961205365727665722F2F6E756C6C2D2F7573722F6C69622F706C65786D656469617365727665722F506C657820444C4E4120536572766572 >>> pid=25983 comm=506C657820444C4E41205365727665 family="inet" >>> sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create" >>> [ 9551.419610] audit: type=1400 audit(1469711661.107:16936): >>> apparmor="ALLOWED" operation="create" >>> profile=2F7573722F6C69622F706C65786D656469617365727665722F506C6578204D65646961205365727665722F2F6E756C6C2D2F7573722F6C69622F706C65786D656469617365727665722F506C657820444C4E4120536572766572 >>> pid=25983 comm=506C657820444C4E41205365727665 family="unix" >>> sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create" >>> addr=none >>> [ 9551.419712] audit: type=1400 audit(1469711661.107:16937): >>> apparmor="ALLOWED" operation="create" >>> profile=2F7573722F6C69622F706C65786D656469617365727665722F506C6578204D65646961205365727665722F2F6E756C6C2D2F7573722F6C69622F706C65786D656469617365727665722F506C657820444C4E4120536572766572 >>> pid=25983 comm=506C657820444C4E41205365727665 family="unix" >>> sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create" >>> addr=none >>> [ 9551.419846] audit: type=1400 audit(1469711661.107:16938): >>> apparmor="ALLOWED" operation="getsockname" >>> profile=2F7573722F6C69622F706C65786D656469617365727665722F506C6578204D65646961205365727665722F2F6E756C6C2D2F7573722F6C69622F706C65786D656469617365727665722F506C657820444C4E4120536572766572 >>> pid=25983 comm=506C657820444C4E41205365727665 family="inet" >>> sock_type="dgram" protocol=17 requested_mask="getattr" denied_mask="getattr" >>> [ 9551.419940] audit: type=1400 audit(1469711661.107:16939): >>> apparmor="ALLOWED" operation="getpeername" >>> profile=2F7573722F6C69622F706C65786D656469617365727665722F506C6578204D65646961205365727665722F2F6E756C6C2D2F7573722F6C69622F706C65786D656469617365727665722F506C657820444C4E4120536572766572 >>> pid=25983 comm=506C657820444C4E41205365727665 family="inet" >>> sock_type="dgram" protocol=17 requested_mask="getattr" denied_mask="getattr" >>> [ 9551.420017] audit: type=1400 audit(1469711661.107:16940): >>> apparmor="ALLOWED" operation="setsockopt" >>> profile=2F7573722F6C69622F706C65786D656469617365727665722F506C6578204D65646961205365727665722F2F6E756C6C2D2F7573722F6C69622F706C65786D656469617365727665722F506C657820444C4E4120536572766572 >>> pid=25983 comm=506C657820444C4E41205365727665 family="inet" >>> sock_type="dgram" protocol=17 requested_mask="setopt" denied_mask="setopt" >>> [ 9551.420106] audit: type=1400 audit(1469711661.107:16941): >>> apparmor="ALLOWED" operation="connect" >>> profile=2F7573722F6C69622F706C65786D656469617365727665722F506C6578204D65646961205365727665722F2F6E756C6C2D2F7573722F6C69622F706C65786D656469617365727665722F506C657820444C4E4120536572766572 >>> pid=25983 comm=506C657820444C4E41205365727665 family="inet" >>> sock_type="dgram" protocol=17 requested_mask="connect" denied_mask="connect" >>> [ 9551.420196] audit: type=1400 audit(1469711661.107:16942): >>> apparmor="ALLOWED" operation="getsockname" >>> profile=2F7573722F6C69622F706C65786D656469617365727665722F506C6578204D65646961205365727665722F2F6E756C6C2D2F7573722F6C69622F706C65786D656469617365727665722F506C657820444C4E4120536572766572 >>> pid=25983 comm=506C657820444C4E41205365727665 laddr=45.32.182.252 >>> lport=38561 faddr=45.32.182.252 fport=42674 family="inet" sock_type="dgram" >>> protocol=17 requested_mask="getattr" denied_mask="getattr" >> >> Am I doing something wrong or is this just not very well supported yet? > Its fine, the kernel audit subsystem is doing a hex encoding on the string to > try and keep it from breaking userspace log parsing. It does this for a whole > bunch of different characters that it considers to be not safe > > logprof should be able to decode these, we also have a command line utility > to do it > > aa-decode > 2F7573722F6C69622F706C65786D656469617365727665722F506C6578204D65646961205365727665722F2F6E756C6C2D2F7573722F6C69622F706C65786D656469617365727665722F506C657820444C4E4120536572766572 > Decoded: /usr/lib/plexmediaserver/Plex Media > Server//null-/usr/lib/plexmediaserver/Plex DLNA Server >
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
