[apparmor] AppArmor.pm patch: add mknod and unlink support
Kees Cook
kees at ubuntu.com
Wed Nov 2 21:09:23 UTC 2011
Hi,
I never saw a reply to this. Did this get handled in a separate thread that I
missed, or are these changes still needed?
-Kees
On Sun, Oct 16, 2011 at 01:23:16AM -0700, Seth Arnold wrote:
> I found two errors when trying to profile the ntop daemon using the
> aa-logprof tool. Using aa-logprof's LOGPROF_DEBUG facility, I found
> the errors were in unhandled 'mknod' and 'unlink' messages:
>
> parse_event: type=AVC msg=audit(1318750892.227:53683):
> apparmor="ALLOWED" operation="mknod" parent=17894
> profile="/usr/sbin/ntop" name="/tmp/ntop-gzip-1" pid=17947 comm="ntop"
> requested_mask="c" denied_mask="c" fsuid=122 ouid=122
> $event = 'profile';
> $VAR2 = '/usr/sbin/ntop';
> $VAR3 = 'sdmode';
> $VAR4 = 'PERMITTING';
> $VAR5 = 'time';
> $VAR6 = 1318750892;
> $VAR7 = 'denied_mask';
> $VAR8 = 32770;
> $VAR9 = 'pid';
> $VAR10 = 17947;
> $VAR11 = 'operation';
> $VAR12 = 'mknod';
> $VAR13 = 'parent';
> $VAR14 = 17894;
> $VAR15 = 'name';
> $VAR16 = '/tmp/ntop-gzip-1';
> $VAR17 = 'request_mask';
> $VAR18 = 32770;
> UNHANDLED: %event = (
> 'profile' => '/usr/sbin/ntop',
> 'sdmode' => 'PERMITTING',
> 'time' => 1318750892,
> 'denied_mask' => 32770,
> 'pid' => 17947,
> 'operation' => 'mknod',
> 'parent' => 17894,
> 'name' => '/tmp/ntop-gzip-1',
> 'request_mask' => 32770
> );
>
>
> parse_event: type=AVC msg=audit(1318750892.227:53728):
> apparmor="ALLOWED" operation="unlink" parent=17894
> profile="/usr/sbin/ntop" name="/tmp/ntop-gzip-1" pid=17947 comm="ntop"
> requested_mask="d" denied_mask="d" fsuid=122 ouid=122
> $event = 'profile';
> $VAR2 = '/usr/sbin/ntop';
> $VAR3 = 'sdmode';
> $VAR4 = 'PERMITTING';
> $VAR5 = 'time';
> $VAR6 = 1318750892;
> $VAR7 = 'denied_mask';
> $VAR8 = 32770;
> $VAR9 = 'pid';
> $VAR10 = 17947;
> $VAR11 = 'operation';
> $VAR12 = 'unlink';
> $VAR13 = 'parent';
> $VAR14 = 17894;
> $VAR15 = 'name';
> $VAR16 = '/tmp/ntop-gzip-1';
> $VAR17 = 'request_mask';
> $VAR18 = 32770;
> UNHANDLED: %event = (
> 'profile' => '/usr/sbin/ntop',
> 'sdmode' => 'PERMITTING',
> 'time' => 1318750892,
> 'denied_mask' => 32770,
> 'pid' => 17947,
> 'operation' => 'unlink',
> 'parent' => 17894,
> 'name' => '/tmp/ntop-gzip-1',
> 'request_mask' => 32770
> );
>
>
> The following patch worked for the cases that were giving me trouble:
>
> $ cat ~/tmp/apparmor-pm-add-mknod-unlink-support.patch
> --- /tmp/AppArmor.pm 2011-10-16 01:05:24.000000000 -0700
> +++ /usr/share/perl5/Immunix/AppArmor.pm 2011-10-16 01:18:17.000000000 -0700
> @@ -2863,8 +2863,10 @@
> } elsif ($e->{operation} eq "open" ||
> $e->{operation} eq "truncate" ||
> $e->{operation} eq "mkdir" ||
> + $e->{operation} eq "mknod" ||
> $e->{operation} eq "rename_src" ||
> - $e->{operation} eq "rename_dest") {
> + $e->{operation} eq "rename_dest" ||
> + $e->{operation} eq "unlink") {
> add_to_tree( $e->{pid},
> $e->{parent},
> "path",
>
>
> I haven't tested it any further than using it while profiling ntop.
> --- /tmp/AppArmor.pm 2011-10-16 01:05:24.000000000 -0700
> +++ /usr/share/perl5/Immunix/AppArmor.pm 2011-10-16 01:18:17.000000000 -0700
> @@ -2863,8 +2863,10 @@
> } elsif ($e->{operation} eq "open" ||
> $e->{operation} eq "truncate" ||
> $e->{operation} eq "mkdir" ||
> + $e->{operation} eq "mknod" ||
> $e->{operation} eq "rename_src" ||
> - $e->{operation} eq "rename_dest") {
> + $e->{operation} eq "rename_dest" ||
> + $e->{operation} eq "unlink") {
> add_to_tree( $e->{pid},
> $e->{parent},
> "path",
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
--
Kees Cook
More information about the AppArmor
mailing list