[apparmor] [Bug 1014304] Re: genprof misses some permissions
John Johansen
john.johansen at canonical.com
Thu Jun 21 01:26:47 UTC 2012
Christian
yes it looks like there may be some tracking issues when a new profile
is added (could be only around children and hats). The "r" permission
is definitely there in the log, and there is even enough info to track
across the exec. So its not the problem I initially suspected; there is
a huge logging problem at the moment around exec where do to lsm_audit
many of apparmor's messages get lost especially around exec. This
permission not getting added to profiles as well but in this case
logprof would not pick up the second time through.
--
You received this bug notification because you are a member of AppArmor
Developers, which is the registrant for AppArmor.
https://bugs.launchpad.net/bugs/1014304
Title:
genprof misses some permissions
Status in AppArmor Linux application security framework:
New
Bug description:
Take this little demo script:
#!/bin/bash
echo "Hello World!" > /tmp/hello.txt
cat /tmp/hello.txt
rm /tmp/hello.txt
I created a profile for it using genprof. Most important point: select
"child" for executing /bin/rm, see attached screendump.txt for
details.
When I run logprof after the genprof run, it proposes
Profile: /home/cb/linuxtag/apparmor/scripts/hello
Path: /usr/bin/rm
Old Mode: Cx
New Mode: rCx
That's something genprof should have catched...
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1014304/+subscriptions
More information about the AppArmor
mailing list