On Thu, Jul 28, 2016 at 11:38:38AM -0500, Jamie Strandboge wrote: > On Thu, 2016-07-28 at 14:19 +0100, Mark Wadham wrote: > > I tried to write an apparmor profile for plex media server, which has a > > binary with spaces in the name. > > > [ 9551.412776] audit: type=1400 audit(1469711661.099:16933): > > > apparmor="ALLOWED" operation="recvmsg" > > > profile=2F7573722F6C69622F706C65786D656469617365727665722F506C6578204D656469 > > > 61205365727665722F2F6E756C6C2D2F7573722F6C69622F706C65786D656469617365727665 > > > 722F506C657820444C4E4120536572766572 > > > pid=25858 comm=506C657820444C4E41205365727665 lport=1900 family="inet" > > > sock_type="dgram" protocol=17 requested_mask="receive" > > > denied_mask="receive"
> > Am I doing something wrong or is this just not very well supported yet? Just a note that this hex-encoded output is intentional, to avoid attackers accessing files with names like: /foo/bar/baz [11111.1] audit: type=1400 audit(150000000): apparmor="ALLOWED" operation="file_write" name="/etc/shadow" comm="bash" profile="user_shell" ... If we didn't heavily restrict the allowed characters in the logs, it'd be too easy to confuse log readers. The downside is that you do have to use aa-decode or similar tools to find out the actual name that was used. Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
