[apparmor] debugging aa_change_profile

John Johansen john.johansen at canonical.com
Fri Apr 27 09:55:34 UTC 2012

On 04/27/2012 12:16 AM, Jeroen Ooms wrote:
> Hi Steve,
>> As John said, aa_change_hat() merely requires the same value to
>> be passed in, not a pointer to the same memory location. Looking
>> at the git tree, you're once again hitting a type mis-match:
>> aa_change_hat_wrapper() and aa_revert_hat_wrapper() take a pointer
>> to an unsigned long (unsigned long*) as argument but then pass that
>> _pointer_ when calling aa_change_hat().
> Thanks a lot for catching this. By now it should be obvious that my
> experience with C is close to your experience with R. The pointers are
> still confusing me. I am used to programming in Java/Javascript where
> everything is a reference, or in R where everything is a value (no
> references at all). Either way, once my Ubuntu upgrade is done (only 3
> hours remaining) I am going to apply your patch and see if I can get
> things to work.
>> For your test profile, I added the following audit qualifiers so that I
>> knew when things were getting rejected:
> Ah cool I wasn't aware of this feature. Prefixing a line with audit
> will do some additional logging?
yes. It causes a rule match to be audited, in addition to granting permission

  /file r,   # grant r perm, does not audit

  audit /file r,  #grant r perm and log a message to audit

the audit qualifier is done at the permission level so you can do things like
  /etc/shadow r,   # don't audit read access
  audit /etc/shadow w,   # but record write access

it is important to note that this is done at the permission request level
instead (file open), instead of the actual read/write level.

So requesting a file be opened for rw will trigger the audit, even if a write
is never done.

More information about the AppArmor mailing list