Public bug reported:
Ubuntu 14.04's kernel (tested 3.13.0-32-generic) does not log exec
properly in audit.log when in complain mode, so aa-logprof will not
work.
Here is test.bash
-------------
#!/bin/bash
echo "hi"
ls /tmp
find /tmp
-------------
Here is /etc/apparmor.d/root.tmp.test.bash (which was created with aa-genprof
and edited with aa-logprof):
-------------
# Last Modified: Mon Feb 15 16:05:05 2016
#include <tunables/global>
/root/tmp/test.bash flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/user-tmp>
/bin/ls r,
/proc/filesystems r,
/proc/meminfo r,
/root/tmp/ r,
/root/tmp/test.bash r,
/tmp/** rwlk,
/usr/bin/find r,
}
-------------
Here are the results in audit.log with a stock kernel, and a vanilla+grsecurity
4.3.5 kernel:
# uname -a
Linux apparmortest 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC
2014 x86_64 x86_64 x86_64 GNU/Linux
enforce mode:
-------------
type=AVC msg=audit(1455548893.569:18246): apparmor="DENIED" operation="exec"
profile="/root/tmp/test.bash" name="/bin/ls" pid=9767 comm="test.bash"
requested_mask="x" denied_mask="x" fsuid=0 ouid=0
type=SYSCALL msg=audit(1455548893.569:18246): arch=c000003e syscall=59
success=no exit=-13 a0=8c1d88 a1=8c1988 a2=8c2c08 a3=7fffd820cac0 items=0
ppid=9766 pid=9767 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 ses=2 comm="test.bash" exe="/bin/bash" key=(null)
type=AVC msg=audit(1455548893.573:18247): apparmor="DENIED" operation="exec"
profile="/root/tmp/test.bash" name="/usr/bin/find" pid=9768 comm="test.bash"
requested_mask="x" denied_mask="x" fsuid=0 ouid=0
type=SYSCALL msg=audit(1455548893.573:18247): arch=c000003e syscall=59
success=no exit=-13 a0=8c2908 a1=8c1988 a2=8c2c08 a3=7fffd820cac0 items=0
ppid=9766 pid=9768 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 ses=2 comm="test.bash" exe="/bin/bash" key=(null)
[this is full output]
-------------
complain mode:
-------------
type=AVC msg=audit(1455548922.473:18249): apparmor="ALLOWED" operation="exec"
profile="/root/tmp/test.bash" pid=9772 comm="test.bash" requested_mask="x"
denied_mask="x" fsuid=0 ouid=0 target="/root/tmp/test.bash//null-53"
type=SYSCALL msg=audit(1455548922.473:18249): arch=c000003e syscall=59
success=yes exit=0 a0=10c6d88 a1=10c6988 a2=10c7c08 a3=7fff57ced540 items=0
ppid=9771 pid=9772 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 ses=2 comm="ls" exe="/bin/ls" key=(null)
[... much longer...]]
-------------
# uname -a
Linux apparmortest 4.3.5-grsec+ #1 SMP Fri Feb 12 18:53:52 CET 2016 x86_64
x86_64 x86_64 GNU/Linux
enforce
-------------
type=AVC msg=audit(1455549782.598:50): apparmor="DENIED" operation="exec"
profile="/root/tmp/test.bash" name="/bin/ls" pid=1710 comm="test.bash"
requested_mask="x" denied_mask="x" fsuid=0 ouid=0
type=SYSCALL msg=audit(1455549782.598:50): arch=c000003e syscall=59 success=no
exit=-13 a0=d9eb88 a1=d9cf08 a2=d9dc08 a3=79f56cef8bd0 items=0 ppid=1709
pid=1710 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts3 ses=2 comm="test.bash" exe="/bin/bash" key=(null)
type=UNKNOWN[1327] msg=audit(1455549782.598:50):
proctitle=2F62696E2F62617368002E2F746573742E62617368
type=AVC msg=audit(1455549782.598:51): apparmor="DENIED" operation="exec"
profile="/root/tmp/test.bash" name="/usr/bin/find" pid=1711 comm="test.bash"
requested_mask="x" denied_mask="x" fsuid=0 ouid=0
type=SYSCALL msg=audit(1455549782.598:51): arch=c000003e syscall=59 success=no
exit=-13 a0=d9ee88 a1=d9cf08 a2=d9dc08 a3=79f56cef8bd0 items=0 ppid=1709
pid=1711 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts3 ses=2 comm="test.bash" exe="/bin/bash" key=(null)
type=UNKNOWN[1327] msg=audit(1455549782.598:51):
proctitle=2F62696E2F62617368002E2F746573742E62617368
-------------
complain
-------------
type=AVC msg=audit(1455549804.810:57): apparmor="ALLOWED" operation="exec"
profile="/root/tmp/test.bash" name="/bin/ls" pid=1750 comm="test.bash"
requested_mask="x" denied_mask="x" fsuid=0 ouid=0
target="/root/tmp/test.bash//null-1"
type=SYSCALL msg=audit(1455549804.810:57): arch=c000003e syscall=59 success=yes
exit=0 a0=20ddd08 a1=20dcb88 a2=20dcc08 a3=76f9147845e0 items=0 ppid=1749
pid=1750 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts3 ses=2 comm="ls" exe="/bin/ls" key=(null)
-------------
Notice that the name="/bin/ls" is in the enforce mode log for both kernels, and
in the complain mode log for kernel 4.3.5. It is missing from the complain mode
kernel 3.13.
And another problem I found while failing to reproduce the above
problem. This was with a profile made with aa-genprof on the bash
executable (copied to ~/tmp/), without any more rules added. I could not
reproduce this problem with the grsec kernel, so I'll just report them
together.
-------------
# aa-logprof
Reading log entries from /var/log/audit/audit.log.
Updating AppArmor profiles in /etc/apparmor.d.
Traceback (most recent call last):
File "/usr/sbin/aa-logprof", line 54, in <module>
apparmor.do_logprof_pass(logmark)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2280, in
do_logprof_pass
log = log_reader.read_log(logmark)
File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 353, in
read_log
self.add_event_to_tree(event)
File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 261, in
add_event_to_tree
raise AppArmorException(_('Log contains unknown mode %s') % rmask)
apparmor.common.AppArmorException: 'Log contains unknown mode '
-------------
the problem line (requested_mask and denied_mask are blank):
-------------
type=AVC msg=audit(1455544394.446:262): apparmor="ALLOWED" operation="open"
profile="/root/tmp/bash" name="/root/.bash_history" pid=8675 comm="bash"
requested_mask="" denied_mask="" fsuid=0 ouid=0
-------------
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Tags: apparmo
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1545776
Title:
14.04 kernel does not log exec properly and aa-logprof fails
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1545776/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
