[apparmor] [Bug 1014304] Re: genprof misses some permissions

John Johansen john.johansen at canonical.com
Thu Jun 21 01:26:47 UTC 2012


yes it looks like there may be some tracking issues when a new profile
is added (could be only around children and hats).  The "r" permission
is definitely there in the log, and there is even enough info to track
across the exec. So its not the problem I initially suspected; there is
a huge logging problem at the moment around exec where do to lsm_audit
many of apparmor's messages get lost especially around exec. This
permission not getting added to profiles as well but in this case
logprof would not pick up the second time through.

You received this bug notification because you are a member of AppArmor
Developers, which is the registrant for AppArmor.

  genprof misses some permissions

Status in AppArmor Linux application security framework:

Bug description:
  Take this little demo script:

  echo "Hello World!" > /tmp/hello.txt
  cat /tmp/hello.txt
  rm /tmp/hello.txt

  I created a profile for it using genprof. Most important point: select
  "child" for executing /bin/rm, see attached screendump.txt for

  When I run logprof after the genprof run, it proposes
      Profile:  /home/cb/linuxtag/apparmor/scripts/hello
      Path:     /usr/bin/rm
      Old Mode: Cx
      New Mode: rCx

  That's something genprof should have catched...

To manage notifications about this bug go to:

More information about the AppArmor mailing list