[apparmor] issue with aa_change_profile when already in complain mode

[John Johansen]

On 07/17/2012 11:26 AM, Jeroen Ooms wrote:
> On Tue, Jul 17, 2012 at 7:32 PM, Seth Arnold <seth.arnold at gmail.com <mailto:seth.arnold at gmail.com>> wrote:
> 
>     I don't think "but nothing happens" is the entire story -- check your audit messages and you will see that the profile of your R executable _has_ changed -- iirc, it'll append //null-1, //null-2, etc. to the existing profile name.
> 
> 
> Below output from kern.log when switching to non-existing profile "doesnotexist":
> 
> jeroen at jeroen-Ubuntu:/etc/apparmor.d$ tail -n0 -f /var/log/kern.log
> Jul 17 20:20:13 jeroen-Ubuntu kernel: [34431.046663] audit_printk_skb: 3 callbacks suppressed
> Jul 17 20:20:13 jeroen-Ubuntu kernel: [34431.046666] type=1400 audit(1342549213.530:618): apparmor="ALLOWED" operation="open" parent=9716 profile="/usr/bin/R" name="/proc/17462/attr/current" pid=17462 comm="R" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
> Jul 17 20:20:13 jeroen-Ubuntu kernel: [34431.046681] type=1400 audit(1342549213.530:619): apparmor="ALLOWED" operation="change_profile" parent=9716 profile="/usr/bin/R" pid=17462 comm="R" target="doesnotexist"
> 
>  
the logs look correct, it will record that change_profile was targeting
doesnotexist even if a learning profile is being created. I don't see any
failures/errors reported with the log so apparmor thinks it completed the
transition correctly.

I need to see more log messages to know what is happening.

One question that comes to mind is which change_profile api are you using?

       int aa_change_profile(const char *profile);
OR
       int aa_change_onexec(const char *profile);

the first one should take effect immediately, the second one is delayed
until an exec happens.