[apparmor] [PATCH] disable printk ratelimit during genprof
John Johansen
john.johansen at canonical.com
Thu Aug 18 22:07:25 UTC 2011
On 08/18/2011 03:02 PM, Kees Cook wrote:
> The printk ratelimit needs to be disabled when running genprof via
> syslog, otherwise audit events will get dropped.
>
> === modified file 'utils/aa-genprof'
> --- utils/aa-genprof 2011-07-18 14:34:49 +0000
> +++ utils/aa-genprof 2011-08-18 21:36:09 +0000
> @@ -28,6 +28,26 @@
> use Locale::gettext;
> use POSIX;
>
> +sub sysctl_read($) {
> + my $path = shift;
> + my $value = undef;
> + if (open(SYSCTL, "<$path")) {
> + $value = int(<SYSCTL>);
> + }
> + close(SYSCTL);
> + return $value;
> +}
> +
> +sub sysctl_write($$) {
> + my $path = shift;
> + my $value = shift;
> + return if (!defined($value));
> + if (open(SYSCTL, ">$path")) {
> + print SYSCTL $value;
> + close(SYSCTl);
> + }
> +}
> +
> # force $PATH to be sane
> $ENV{PATH} = "/bin:/sbin:/usr/bin:/usr/sbin";
>
> @@ -109,6 +129,15 @@
> reload($fqdbin);
> }
>
> +# When reading from syslog, it is possible to hit the default kernel
> +# printk ratelimit. This will result in audit entries getting skipped,
> +# making profile generation inaccurate. When using genprof, disable
> +# the printk ratelimit, and restore it on exit.
> +my $ratelimit_sysctl = "/proc/sys/kernel/printk_ratelimit";
> +my $ratelimit_saved = sysctl_read($ratelimit_sysctl);
> +END { sysctl_write($ratelimit_sysctl, $ratelimit_saved); }
> +sysctl_write($ratelimit_sysctl, 0);
> +
> UI_Info(gettext("\nBefore you begin, you may wish to check if a\nprofile already exists for the application you\nwish to confine. See the following wiki page for\nmore information:\nhttp://wiki.apparmor.net/index.php/Profiles"));
>
> UI_Important(gettext("Please start the application to be profiled in \nanother window and exercise its functionality now.\n\nOnce completed, select the \"Scan\" button below in \norder to scan the system logs for AppArmor events. \n\nFor each AppArmor event, you will be given the \nopportunity to choose whether the access should be \nallowed or denied."));
>
Acked-by: John Johansen <john.johansen at canonical.com>
More information about the AppArmor
mailing list