[apparmor] debugging aa_change_profile
john.johansen at canonical.com
Fri Apr 27 09:55:34 UTC 2012
On 04/27/2012 12:16 AM, Jeroen Ooms wrote:
> Hi Steve,
>> As John said, aa_change_hat() merely requires the same value to
>> be passed in, not a pointer to the same memory location. Looking
>> at the git tree, you're once again hitting a type mis-match:
>> aa_change_hat_wrapper() and aa_revert_hat_wrapper() take a pointer
>> to an unsigned long (unsigned long*) as argument but then pass that
>> _pointer_ when calling aa_change_hat().
> Thanks a lot for catching this. By now it should be obvious that my
> experience with C is close to your experience with R. The pointers are
> everything is a reference, or in R where everything is a value (no
> references at all). Either way, once my Ubuntu upgrade is done (only 3
> hours remaining) I am going to apply your patch and see if I can get
> things to work.
>> For your test profile, I added the following audit qualifiers so that I
>> knew when things were getting rejected:
> Ah cool I wasn't aware of this feature. Prefixing a line with audit
> will do some additional logging?
yes. It causes a rule match to be audited, in addition to granting permission
/file r, # grant r perm, does not audit
audit /file r, #grant r perm and log a message to audit
the audit qualifier is done at the permission level so you can do things like
/etc/shadow r, # don't audit read access
audit /etc/shadow w, # but record write access
it is important to note that this is done at the permission request level
instead (file open), instead of the actual read/write level.
So requesting a file be opened for rw will trigger the audit, even if a write
is never done.
More information about the AppArmor