[apparmor] issue with aa_change_profile when already in complain mode

Tue Jul 17 20:17:40 UTC 2012

On 07/17/2012 12:17 PM, Jeroen Ooms wrote:
> On Tue, Jul 17, 2012 at 9:10 PM, John Johansen <john.johansen at canonical.com <mailto:john.johansen at canonical.com>> wrote:
> 
>     the logs look correct, it will record that change_profile was targeting
>     doesnotexist even if a learning profile is being created. I don't see any
>     failures/errors reported with the log so apparmor thinks it completed the
>     transition correctly.
> 
> 
> It didn't... here some more log:
> 
strange I will try to replicate

> jeroen at jeroen-Ubuntu:/etc/apparmor.d$ sudo tail -f -n0 /var/log/kern.log
> Jul 17 21:11:53 jeroen-Ubuntu kernel: [37530.763909] type=1400 audit(1342552313.246:690): apparmor="ALLOWED" operation="open" parent=9716 profile="/usr/bin/R" name="/proc/21822/attr/current" pid=21822 comm="R" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
> Jul 17 21:11:53 jeroen-Ubuntu kernel: [37530.763921] type=1400 audit(1342552313.246:691): apparmor="ALLOWED" operation="change_profile" parent=9716 profile="/usr/bin/R" pid=21822 comm="R" target="doesnotexist"
> Jul 17 21:11:59 jeroen-Ubuntu kernel: [37537.235849] type=1400 audit(1342552319.718:692): apparmor="ALLOWED" operation="open" parent=9716 profile="/usr/bin/R" name="/proc/21822/attr/current" pid=21822 comm="R" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
> Jul 17 21:11:59 jeroen-Ubuntu kernel: [37537.235863] type=1400 audit(1342552319.718:693): apparmor="ALLOWED" operation="change_profile" parent=9716 profile="/usr/bin/R" pid=21822 comm="R" target="r-base"
> Jul 17 21:12:08 jeroen-Ubuntu kernel: [37545.948146] type=1400 audit(1342552328.434:694): apparmor="ALLOWED" operation="open" parent=9716 profile="/usr/bin/R" name="/proc/21822/attr/current" pid=21822 comm="R" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
> Jul 17 21:12:08 jeroen-Ubuntu kernel: [37545.948158] type=1400 audit(1342552328.434:695): apparmor="ALLOWED" operation="change_profile" parent=9716 profile="/usr/bin/R" pid=21822 comm="R" target="r-compile"
> 
> 
>     I need to see more log messages to know what is happening. One question that comes to mind is which change_profile api are you using?
> 
> 
> I am using aa_change_profile. 
> 
> What exactly is the expected behavior when I change from a profile in complain mode to another profile (which does not have a complain flag)? Should it switch to the new profile in enforce mode or complain mode?
> 
it should switch to the mode of target profile, so complain to enforce.