[Bug 872446] Re: aa-logprof should detect denials as well as complaints

Mon, 26 Mar 2012 11:56:16 -0700 

1. Create /tmp/foo.sh:
#!/bin/sh
cat /etc/fstab
grep root /etc/passwd

2. chmod 755 /tmp/foo.sh

3. sudo aa-genprof /tmp/foo.sh
Writing updated profile for /tmp/foo.sh.
Setting /tmp/foo.sh to complain mode.
...
[(S)can system log for AppArmor events] / (F)inish

(press 'f' (ie, don't run /tmp/foo.sh in another terminal or anything)
Reloaded AppArmor profiles in enforce mode.
...
Finished generating profile for /tmp/foo.sh.

4. verify it is loaded
$ sudo aa-status|grep foo
   /tmp/foo.sh

5. run the script:
$ /tmp/foo.sh
/bin/sh: Can't open /tmp/foo.sh

6. run aa-logprof
$ sudo aa-logprof 
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Enforce-mode changes:

Profile:  /tmp/foo1.sh
Path:     /tmp/foo1.sh
Mode:     r
Severity: unknown


 [1 - /tmp/foo1.sh]
(press 'a')

= Changed Local Profiles =

The following local profiles were changed.  Would you like to save them?

 [1 - /tmp/foo1.sh]

(S)ave Changes / [(V)iew Changes] / Abo(r)t
(press 's')
Writing updated profile for /tmp/foo1.sh.

8. Verify the profile was updated:
$ $ cat /etc/apparmor.d/tmp.foo1.sh 
# Last Modified: Mon Mar 26 13:40:50 2012
#include <tunables/global>

/tmp/foo.sh {
  #include <abstractions/base>


  /bin/dash ix,
  /tmp/foo.sh r,

}

9. Run the script:
$ /tmp/foo1.sh 
/tmp/foo1.sh: 2: cat: Permission denied
/tmp/foo1.sh: 3: grep: Permission denied

10. run aa-logprof:
$ sudo aa-logprof 
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.

(notice I wasn't prompted).

11. Run the script:
$ /tmp/foo1.sh
/tmp/foo1.sh: 2: cat: Permission denied
/tmp/foo1.sh: 3: grep: Permission denied


I'm not sure what this is as I did see it work a couple of time. I think this 
might be a timestamp checking issue. If I went slowly between running 
aa-genprof and aa-logprof it would work. If I went more quickly, it would not. 
This is not a result of kernel rate limiting, because I have entries in dmesg 
for the cat and grep denials.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/872446

Title:
  aa-logprof should detect denials as well as complaints

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/872446/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to