[apparmor] issue with aa_change_profile when already in complain mode

[Jeroen Ooms]

On Tue, Jul 17, 2012 at 7:32 PM, Seth Arnold <seth.arnold at gmail.com> wrote:

> I don't think "but nothing happens" is the entire story -- check your
> audit messages and you will see that the profile of your R executable _has_
> changed -- iirc, it'll append //null-1, //null-2, etc. to the existing
> profile name.
>

Below output from kern.log when switching to non-existing profile
"doesnotexist":

jeroen at jeroen-Ubuntu:/etc/apparmor.d$ tail -n0 -f /var/log/kern.log
Jul 17 20:20:13 jeroen-Ubuntu kernel: [34431.046663] audit_printk_skb: 3
callbacks suppressed
Jul 17 20:20:13 jeroen-Ubuntu kernel: [34431.046666] type=1400
audit(1342549213.530:618): apparmor="ALLOWED" operation="open" parent=9716
profile="/usr/bin/R" name="/proc/17462/attr/current" pid=17462 comm="R"
requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Jul 17 20:20:13 jeroen-Ubuntu kernel: [34431.046681] type=1400
audit(1342549213.530:619): apparmor="ALLOWED" operation="change_profile"
parent=9716 profile="/usr/bin/R" pid=17462 comm="R" target="doesnotexist"



> Complain mode is intended to be used with the automated tools when
> generating profiles. If the change profile permission is not yet in the
> profile, allowing the request and continuing as normal will then report the
> full behavior in the logs and the admin can later allow or deny and all the
> subsequent file accesses are then stored on the new or old profile as
> requested.
>

That is the behavior I was expecting. But instead it does *not* change into
the profile, although aa_change_profile says it did.



> What are you trying to do with R while in complain mode? Would it make
> sense to instead use the audit keyword in your R profile?
>

I was trying to debug some change_profile policies when I was running into
this odd behavior.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120717/21b5a3aa/attachment.html>