[apparmor] [PATCH] disable printk ratelimit during genprof
Kees Cook
kees at ubuntu.com
Thu Aug 18 22:02:49 UTC 2011
The printk ratelimit needs to be disabled when running genprof via
syslog, otherwise audit events will get dropped.
=== modified file 'utils/aa-genprof'
--- utils/aa-genprof 2011-07-18 14:34:49 +0000
+++ utils/aa-genprof 2011-08-18 21:36:09 +0000
@@ -28,6 +28,26 @@
use Locale::gettext;
use POSIX;
+sub sysctl_read($) {
+ my $path = shift;
+ my $value = undef;
+ if (open(SYSCTL, "<$path")) {
+ $value = int(<SYSCTL>);
+ }
+ close(SYSCTL);
+ return $value;
+}
+
+sub sysctl_write($$) {
+ my $path = shift;
+ my $value = shift;
+ return if (!defined($value));
+ if (open(SYSCTL, ">$path")) {
+ print SYSCTL $value;
+ close(SYSCTl);
+ }
+}
+
# force $PATH to be sane
$ENV{PATH} = "/bin:/sbin:/usr/bin:/usr/sbin";
@@ -109,6 +129,15 @@
reload($fqdbin);
}
+# When reading from syslog, it is possible to hit the default kernel
+# printk ratelimit. This will result in audit entries getting skipped,
+# making profile generation inaccurate. When using genprof, disable
+# the printk ratelimit, and restore it on exit.
+my $ratelimit_sysctl = "/proc/sys/kernel/printk_ratelimit";
+my $ratelimit_saved = sysctl_read($ratelimit_sysctl);
+END { sysctl_write($ratelimit_sysctl, $ratelimit_saved); }
+sysctl_write($ratelimit_sysctl, 0);
+
UI_Info(gettext("\nBefore you begin, you may wish to check if a\nprofile already exists for the application you\nwish to confine. See the following wiki page for\nmore information:\nhttp://wiki.apparmor.net/index.php/Profiles"));
UI_Important(gettext("Please start the application to be profiled in \nanother window and exercise its functionality now.\n\nOnce completed, select the \"Scan\" button below in \norder to scan the system logs for AppArmor events. \n\nFor each AppArmor event, you will be given the \nopportunity to choose whether the access should be \nallowed or denied."));
--
Kees Cook
Ubuntu Security Team
More information about the AppArmor
mailing list