[apparmor] [PATCH] Adjust notify group name

Seth Arnold seth.arnold at gmail.com
Wed Apr 25 22:51:46 UTC 2012

On Wed, Apr 25, 2012 at 12:11 PM, Kees Cook <kees at ubuntu.com> wrote:
> But aa-notify runs as the user and read the log files directly... what
> am I misunderstanding?

aa-notify gains and drops privileges repeatedly when running:

    for (my $i=0; $time_to_die == 0; $i++) {
        if ($logfile_inode != get_logfile_inode($logfile)) {
            _warn("$logfile changed inodes, reopening");
        } elsif (get_logfile_size($logfile) < $logfile_size) {
            _warn("$logfile is smaller, reopening");

# ...

sub reopen_logfile {
    # reopen the logfile, temporarily switching back to starting euid for
    # file permissions.

    my $old_euid = raise_privileges();

    $logfile_inode = get_logfile_inode($logfile);
    $logfile_size = get_logfile_size($logfile);
    open (LOGFILE, "<$logfile") or die "Could not open '$logfile'\n";


Of course, the audit daemon and tools more or less enforcing mode 700 on
/var/log/audit and /var/log/audit/audit.log is a serious complicating
factor for this tool -- I personally would rather see an audispd-derived
daemon to send messages to dbus. (Not that I'm a huge fan of dbus, but it
exists for very nearly this purpose.)

More information about the AppArmor mailing list