[apparmor] [PATCH] disable printk ratelimit during genprof

Seth Arnold seth.arnold at gmail.com
Thu Aug 18 22:10:33 UTC 2011 

Are you sure you want this? Before we rate limited printk messages, we _frequently_ wrapped the dmesg buffer with printk output, which caused many completely bogus filename accesses to be recorded, mention domains that never exist, and would completely miss too many domain transitions and execs, leading to nearly unreadable mess.

Rate limiting loses messages, but at least it respects message boundaries, and exec and domain transition messages are less likely to be lost amid huge piles of file accesses.

Test this under heavy load, as heavy as you can get, before going ahead with it.
-----Original Message-----
From: Kees Cook <kees at ubuntu.com>
Sender: apparmor-bounces at lists.ubuntu.com
Date: Thu, 18 Aug 2011 15:02:49 
To: <apparmor at lists.ubuntu.com>
Subject: [apparmor] [PATCH] disable printk ratelimit during genprof

The printk ratelimit needs to be disabled when running genprof via
syslog, otherwise audit events will get dropped.

=== modified file 'utils/aa-genprof'
--- utils/aa-genprof	2011-07-18 14:34:49 +0000
+++ utils/aa-genprof	2011-08-18 21:36:09 +0000
@@ -28,6 +28,26 @@
 use Locale::gettext;
 use POSIX;
 
+sub sysctl_read($) {
+    my $path = shift;
+    my $value = undef;
+    if (open(SYSCTL, "<$path")) {
+        $value = int(<SYSCTL>);
+    }
+    close(SYSCTL);
+    return $value;
+}
+
+sub sysctl_write($$) {
+    my $path = shift;
+    my $value = shift;
+    return if (!defined($value));
+    if (open(SYSCTL, ">$path")) {
+        print SYSCTL $value;
+        close(SYSCTl);
+    }
+}
+
 # force $PATH to be sane
 $ENV{PATH} = "/bin:/sbin:/usr/bin:/usr/sbin";
 
@@ -109,6 +129,15 @@
     reload($fqdbin);
 }
 
+# When reading from syslog, it is possible to hit the default kernel
+# printk ratelimit. This will result in audit entries getting skipped,
+# making profile generation inaccurate. When using genprof, disable
+# the printk ratelimit, and restore it on exit.
+my $ratelimit_sysctl = "/proc/sys/kernel/printk_ratelimit";
+my $ratelimit_saved = sysctl_read($ratelimit_sysctl);
+END { sysctl_write($ratelimit_sysctl, $ratelimit_saved); }
+sysctl_write($ratelimit_sysctl, 0);
+
 UI_Info(gettext("\nBefore you begin, you may wish to check if a\nprofile already exists for the application you\nwish to confine. See the following wiki page for\nmore information:\nhttp://wiki.apparmor.net/index.php/Profiles"));
 
 UI_Important(gettext("Please start the application to be profiled in \nanother window and exercise its functionality now.\n\nOnce completed, select the \"Scan\" button below in \norder to scan the system logs for AppArmor events.  \n\nFor each AppArmor event, you will be given the  \nopportunity to choose whether the access should be  \nallowed or denied."));


-- 
Kees Cook
Ubuntu Security Team

-- 
AppArmor mailing list
AppArmor at lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

More information about the AppArmor mailing list