[apparmor] AppArmor.pm patch: add mknod and unlink support
John Johansen
john.johansen at canonical.com
Thu Nov 3 01:57:42 UTC 2011
On 11/02/2011 05:13 PM, Seth Arnold wrote:
> These changes are still needed.
>
Really, I could have sworn I acked them. I remember reviewing them.
But the mail seems to missing from the list.
Acked-by: John Johansen <john.johansen at canonical.com>
> Thanks
> -----Original Message-----
> From: Kees Cook <kees at ubuntu.com>
> Date: Wed, 2 Nov 2011 14:09:23
> To: Seth Arnold<seth.arnold at gmail.com>
> Cc: apparmor<apparmor at lists.ubuntu.com>
> Subject: Re: [apparmor] AppArmor.pm patch: add mknod and unlink support
>
> Hi,
>
> I never saw a reply to this. Did this get handled in a separate thread that I
> missed, or are these changes still needed?
>
> -Kees
>
> On Sun, Oct 16, 2011 at 01:23:16AM -0700, Seth Arnold wrote:
>> I found two errors when trying to profile the ntop daemon using the
>> aa-logprof tool. Using aa-logprof's LOGPROF_DEBUG facility, I found
>> the errors were in unhandled 'mknod' and 'unlink' messages:
>>
>> parse_event: type=AVC msg=audit(1318750892.227:53683):
>> apparmor="ALLOWED" operation="mknod" parent=17894
>> profile="/usr/sbin/ntop" name="/tmp/ntop-gzip-1" pid=17947 comm="ntop"
>> requested_mask="c" denied_mask="c" fsuid=122 ouid=122
>> $event = 'profile';
>> $VAR2 = '/usr/sbin/ntop';
>> $VAR3 = 'sdmode';
>> $VAR4 = 'PERMITTING';
>> $VAR5 = 'time';
>> $VAR6 = 1318750892;
>> $VAR7 = 'denied_mask';
>> $VAR8 = 32770;
>> $VAR9 = 'pid';
>> $VAR10 = 17947;
>> $VAR11 = 'operation';
>> $VAR12 = 'mknod';
>> $VAR13 = 'parent';
>> $VAR14 = 17894;
>> $VAR15 = 'name';
>> $VAR16 = '/tmp/ntop-gzip-1';
>> $VAR17 = 'request_mask';
>> $VAR18 = 32770;
>> UNHANDLED: %event = (
>> 'profile' => '/usr/sbin/ntop',
>> 'sdmode' => 'PERMITTING',
>> 'time' => 1318750892,
>> 'denied_mask' => 32770,
>> 'pid' => 17947,
>> 'operation' => 'mknod',
>> 'parent' => 17894,
>> 'name' => '/tmp/ntop-gzip-1',
>> 'request_mask' => 32770
>> );
>>
>>
>> parse_event: type=AVC msg=audit(1318750892.227:53728):
>> apparmor="ALLOWED" operation="unlink" parent=17894
>> profile="/usr/sbin/ntop" name="/tmp/ntop-gzip-1" pid=17947 comm="ntop"
>> requested_mask="d" denied_mask="d" fsuid=122 ouid=122
>> $event = 'profile';
>> $VAR2 = '/usr/sbin/ntop';
>> $VAR3 = 'sdmode';
>> $VAR4 = 'PERMITTING';
>> $VAR5 = 'time';
>> $VAR6 = 1318750892;
>> $VAR7 = 'denied_mask';
>> $VAR8 = 32770;
>> $VAR9 = 'pid';
>> $VAR10 = 17947;
>> $VAR11 = 'operation';
>> $VAR12 = 'unlink';
>> $VAR13 = 'parent';
>> $VAR14 = 17894;
>> $VAR15 = 'name';
>> $VAR16 = '/tmp/ntop-gzip-1';
>> $VAR17 = 'request_mask';
>> $VAR18 = 32770;
>> UNHANDLED: %event = (
>> 'profile' => '/usr/sbin/ntop',
>> 'sdmode' => 'PERMITTING',
>> 'time' => 1318750892,
>> 'denied_mask' => 32770,
>> 'pid' => 17947,
>> 'operation' => 'unlink',
>> 'parent' => 17894,
>> 'name' => '/tmp/ntop-gzip-1',
>> 'request_mask' => 32770
>> );
>>
>>
>> The following patch worked for the cases that were giving me trouble:
>>
>> $ cat ~/tmp/apparmor-pm-add-mknod-unlink-support.patch
>> --- /tmp/AppArmor.pm 2011-10-16 01:05:24.000000000 -0700
>> +++ /usr/share/perl5/Immunix/AppArmor.pm 2011-10-16 01:18:17.000000000 -0700
>> @@ -2863,8 +2863,10 @@
>> } elsif ($e->{operation} eq "open" ||
>> $e->{operation} eq "truncate" ||
>> $e->{operation} eq "mkdir" ||
>> + $e->{operation} eq "mknod" ||
>> $e->{operation} eq "rename_src" ||
>> - $e->{operation} eq "rename_dest") {
>> + $e->{operation} eq "rename_dest" ||
>> + $e->{operation} eq "unlink") {
>> add_to_tree( $e->{pid},
>> $e->{parent},
>> "path",
>>
>>
>> I haven't tested it any further than using it while profiling ntop.
>
>> --- /tmp/AppArmor.pm 2011-10-16 01:05:24.000000000 -0700
>> +++ /usr/share/perl5/Immunix/AppArmor.pm 2011-10-16 01:18:17.000000000 -0700
>> @@ -2863,8 +2863,10 @@
>> } elsif ($e->{operation} eq "open" ||
>> $e->{operation} eq "truncate" ||
>> $e->{operation} eq "mkdir" ||
>> + $e->{operation} eq "mknod" ||
>> $e->{operation} eq "rename_src" ||
>> - $e->{operation} eq "rename_dest") {
>> + $e->{operation} eq "rename_dest" ||
>> + $e->{operation} eq "unlink") {
>> add_to_tree( $e->{pid},
>> $e->{parent},
>> "path",
>
>> --
>> AppArmor mailing list
>> AppArmor at lists.ubuntu.com
>> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>
More information about the AppArmor
mailing list