[apparmor] [PATCH] disable printk ratelimit during genprof

John Johansen john.johansen at canonical.com
Thu Aug 18 22:07:25 UTC 2011 

On 08/18/2011 03:02 PM, Kees Cook wrote:
> The printk ratelimit needs to be disabled when running genprof via
> syslog, otherwise audit events will get dropped.
> 
> === modified file 'utils/aa-genprof'
> --- utils/aa-genprof	2011-07-18 14:34:49 +0000
> +++ utils/aa-genprof	2011-08-18 21:36:09 +0000
> @@ -28,6 +28,26 @@
>  use Locale::gettext;
>  use POSIX;
>  
> +sub sysctl_read($) {
> +    my $path = shift;
> +    my $value = undef;
> +    if (open(SYSCTL, "<$path")) {
> +        $value = int(<SYSCTL>);
> +    }
> +    close(SYSCTL);
> +    return $value;
> +}
> +
> +sub sysctl_write($$) {
> +    my $path = shift;
> +    my $value = shift;
> +    return if (!defined($value));
> +    if (open(SYSCTL, ">$path")) {
> +        print SYSCTL $value;
> +        close(SYSCTl);
> +    }
> +}
> +
>  # force $PATH to be sane
>  $ENV{PATH} = "/bin:/sbin:/usr/bin:/usr/sbin";
>  
> @@ -109,6 +129,15 @@
>      reload($fqdbin);
>  }
>  
> +# When reading from syslog, it is possible to hit the default kernel
> +# printk ratelimit. This will result in audit entries getting skipped,
> +# making profile generation inaccurate. When using genprof, disable
> +# the printk ratelimit, and restore it on exit.
> +my $ratelimit_sysctl = "/proc/sys/kernel/printk_ratelimit";
> +my $ratelimit_saved = sysctl_read($ratelimit_sysctl);
> +END { sysctl_write($ratelimit_sysctl, $ratelimit_saved); }
> +sysctl_write($ratelimit_sysctl, 0);
> +
>  UI_Info(gettext("\nBefore you begin, you may wish to check if a\nprofile already exists for the application you\nwish to confine. See the following wiki page for\nmore information:\nhttp://wiki.apparmor.net/index.php/Profiles"));
>  
>  UI_Important(gettext("Please start the application to be profiled in \nanother window and exercise its functionality now.\n\nOnce completed, select the \"Scan\" button below in \norder to scan the system logs for AppArmor events.  \n\nFor each AppArmor event, you will be given the  \nopportunity to choose whether the access should be  \nallowed or denied."));
> 
Acked-by: John Johansen <john.johansen at canonical.com>

More information about the AppArmor mailing list