[apparmor] [PATCH] disable printk ratelimit during genprof

Thu Aug 18 22:16:06 UTC 2011

On 08/18/2011 03:10 PM, Seth Arnold wrote:
> Are you sure you want this? Before we rate limited printk messages, we _frequently_ wrapped the dmesg buffer with printk output, which caused many completely bogus filename accesses to be recorded, mention domains that never exist, and would completely miss too many domain transitions and execs, leading to nearly unreadable mess.
> 
> Rate limiting loses messages, but at least it respects message boundaries, and exec and domain transition messages are less likely to be lost amid huge piles of file accesses.
> 
> Test this under heavy load, as heavy as you can get, before going ahead with it.

Actually yes, the wrap usually resulted in messages we could throw away.  The currently rate limiting just about completely breaks genprof.  You could get away with just raising the rate limit but to what value.  I look at this as a temporary solution until we get complain mode messages taking a different path that can be manually throttled by genprof in userspace.

> -----Original Message-----
> From: Kees Cook <kees at ubuntu.com>
> Sender: apparmor-bounces at lists.ubuntu.com
> Date: Thu, 18 Aug 2011 15:02:49 
> To: <apparmor at lists.ubuntu.com>
> Subject: [apparmor] [PATCH] disable printk ratelimit during genprof
> 
> The printk ratelimit needs to be disabled when running genprof via
> syslog, otherwise audit events will get dropped.
> 
> === modified file 'utils/aa-genprof'
> --- utils/aa-genprof	2011-07-18 14:34:49 +0000
> +++ utils/aa-genprof	2011-08-18 21:36:09 +0000
> @@ -28,6 +28,26 @@
>  use Locale::gettext;
>  use POSIX;
>  
> +sub sysctl_read($) {
> +    my $path = shift;
> +    my $value = undef;
> +    if (open(SYSCTL, "<$path")) {
> +        $value = int(<SYSCTL>);
> +    }
> +    close(SYSCTL);
> +    return $value;
> +}
> +
> +sub sysctl_write($$) {
> +    my $path = shift;
> +    my $value = shift;
> +    return if (!defined($value));
> +    if (open(SYSCTL, ">$path")) {
> +        print SYSCTL $value;
> +        close(SYSCTl);
> +    }
> +}
> +
>  # force $PATH to be sane
>  $ENV{PATH} = "/bin:/sbin:/usr/bin:/usr/sbin";
>  
> @@ -109,6 +129,15 @@
>      reload($fqdbin);
>  }
>  
> +# When reading from syslog, it is possible to hit the default kernel
> +# printk ratelimit. This will result in audit entries getting skipped,
> +# making profile generation inaccurate. When using genprof, disable
> +# the printk ratelimit, and restore it on exit.
> +my $ratelimit_sysctl = "/proc/sys/kernel/printk_ratelimit";
> +my $ratelimit_saved = sysctl_read($ratelimit_sysctl);
> +END { sysctl_write($ratelimit_sysctl, $ratelimit_saved); }
> +sysctl_write($ratelimit_sysctl, 0);
> +
>  UI_Info(gettext("\nBefore you begin, you may wish to check if a\nprofile already exists for the application you\nwish to confine. See the following wiki page for\nmore information:\nhttp://wiki.apparmor.net/index.php/Profiles"));
>  
>  UI_Important(gettext("Please start the application to be profiled in \nanother window and exercise its functionality now.\n\nOnce completed, select the \"Scan\" button below in \norder to scan the system logs for AppArmor events.  \n\nFor each AppArmor event, you will be given the  \nopportunity to choose whether the access should be  \nallowed or denied."));
> 
> 