[apparmor] Possible to record userland EIP/RIP (instruction pointer) in audit logs?
Number Six
number6 at elitemail.org
Mon Mar 19 08:43:50 UTC 2012
On Wed, Mar 14, 2012, at 06:47 PM, John Johansen wrote:
> >>>>> I am dealing with a possible exploit that seems to irregularly
> >>>>> attempt to execute a series of suspicious system calls, and I'd
> >>>>> like to try to dive in with gdb to see what is really going on.
> >
> >> A more common case is wanting the syscall parameters and that we
> >> can do if you install auditd, and turn on syscall auditing with
> >>
> >> sudo auditctl -e 1
> >>
> >> then every apparmor reject is accompanied by a syscall entry in the
> >> audit log. However after poking at it for a bit it doesn't seem
> >> possible to get the EIP as part of the audit message.
> >>
> >> So if you need a custom patch, I can do that.
> >
> > A possible way to make this a bit more generic could extend the
> > APPARMOR_ENFORCE, APPARMOR_COMPLAIN, APPARMOR_KILL profile flags to
> > also include APPARMOR_CORE or APPARMOR_STOP that asks for a core
> > dump or asks for SIGSTOP to be sent to the process. Either of these
> > would make it easier to inspect a process that has violated policy
> > at the moment the policy violation takes place.
> >
> That isn't a bad idea and is quite doable
I would love to have SIGSTOP functionality. It would be perfect,
actually. Then I can catch the bastard live in gdb without messing
around with guessing breakpoints/setting watchpoints. Also, the syscall
violations in this particular exploit suspect come in a series, and I'd
like to inspect program state at each syscall violation. So SIGSTOP is
waaay better than just a core.
Happy to test out a patch. Would it require a custom kernel build? I am
comfortable doing that, but would be more comfortable if there were good
instructions for building everything I need for Ubuntu. Is that
available anywhere, by chance?
Incidentally, which version of apparmor do I need to get the ip address
granularity for network rule statements as defined in
http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Note:_about_AppArmor_2.3_-_2.6_network_rules
?
I would also very much love to be able to write 'network tcp dst
127.0.0.1', for example.
Thanks for all your help,
- Six
--
http://www.fastmail.fm - The professional email service
More information about the AppArmor
mailing list