[apparmor] AppArmor.pm patch: add mknod and unlink support

Seth Arnold seth.arnold at gmail.com
Sun Oct 16 08:23:16 UTC 2011 

I found two errors when trying to profile the ntop daemon using the
aa-logprof tool. Using aa-logprof's LOGPROF_DEBUG facility, I found
the errors were in unhandled 'mknod' and 'unlink' messages:

parse_event: type=AVC msg=audit(1318750892.227:53683):
apparmor="ALLOWED" operation="mknod" parent=17894
profile="/usr/sbin/ntop" name="/tmp/ntop-gzip-1" pid=17947 comm="ntop"
requested_mask="c" denied_mask="c" fsuid=122 ouid=122
$event = 'profile';
$VAR2 = '/usr/sbin/ntop';
$VAR3 = 'sdmode';
$VAR4 = 'PERMITTING';
$VAR5 = 'time';
$VAR6 = 1318750892;
$VAR7 = 'denied_mask';
$VAR8 = 32770;
$VAR9 = 'pid';
$VAR10 = 17947;
$VAR11 = 'operation';
$VAR12 = 'mknod';
$VAR13 = 'parent';
$VAR14 = 17894;
$VAR15 = 'name';
$VAR16 = '/tmp/ntop-gzip-1';
$VAR17 = 'request_mask';
$VAR18 = 32770;
UNHANDLED: %event = (
           'profile' => '/usr/sbin/ntop',
           'sdmode' => 'PERMITTING',
           'time' => 1318750892,
           'denied_mask' => 32770,
           'pid' => 17947,
           'operation' => 'mknod',
           'parent' => 17894,
           'name' => '/tmp/ntop-gzip-1',
           'request_mask' => 32770
         );


parse_event: type=AVC msg=audit(1318750892.227:53728):
apparmor="ALLOWED" operation="unlink" parent=17894
profile="/usr/sbin/ntop" name="/tmp/ntop-gzip-1" pid=17947 comm="ntop"
requested_mask="d" denied_mask="d" fsuid=122 ouid=122
$event = 'profile';
$VAR2 = '/usr/sbin/ntop';
$VAR3 = 'sdmode';
$VAR4 = 'PERMITTING';
$VAR5 = 'time';
$VAR6 = 1318750892;
$VAR7 = 'denied_mask';
$VAR8 = 32770;
$VAR9 = 'pid';
$VAR10 = 17947;
$VAR11 = 'operation';
$VAR12 = 'unlink';
$VAR13 = 'parent';
$VAR14 = 17894;
$VAR15 = 'name';
$VAR16 = '/tmp/ntop-gzip-1';
$VAR17 = 'request_mask';
$VAR18 = 32770;
UNHANDLED: %event = (
           'profile' => '/usr/sbin/ntop',
           'sdmode' => 'PERMITTING',
           'time' => 1318750892,
           'denied_mask' => 32770,
           'pid' => 17947,
           'operation' => 'unlink',
           'parent' => 17894,
           'name' => '/tmp/ntop-gzip-1',
           'request_mask' => 32770
         );


The following patch worked for the cases that were giving me trouble:

$ cat ~/tmp/apparmor-pm-add-mknod-unlink-support.patch
--- /tmp/AppArmor.pm	2011-10-16 01:05:24.000000000 -0700
+++ /usr/share/perl5/Immunix/AppArmor.pm	2011-10-16 01:18:17.000000000 -0700
@@ -2863,8 +2863,10 @@
     } elsif ($e->{operation} eq "open" ||
              $e->{operation} eq "truncate" ||
              $e->{operation} eq "mkdir" ||
+             $e->{operation} eq "mknod" ||
              $e->{operation} eq "rename_src" ||
-             $e->{operation} eq "rename_dest") {
+             $e->{operation} eq "rename_dest" ||
+             $e->{operation} eq "unlink") {
         add_to_tree( $e->{pid},
 		     $e->{parent},
                      "path",


I haven't tested it any further than using it while profiling ntop.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: apparmor-pm-add-mknod-unlink-support.patch
Type: text/x-diff
Size: 613 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20111016/da7396cc/attachment.patch>

More information about the AppArmor mailing list