[apparmor] Possible to record userland EIP/RIP (instruction pointer) in audit logs?
John Johansen
john.johansen at canonical.com
Mon Mar 19 11:00:26 UTC 2012
On 03/19/2012 01:43 AM, Number Six wrote:
> On Wed, Mar 14, 2012, at 06:47 PM, John Johansen wrote:
>
>>>>>>> I am dealing with a possible exploit that seems to irregularly
>>>>>>> attempt to execute a series of suspicious system calls, and I'd
>>>>>>> like to try to dive in with gdb to see what is really going on.
>>>
>>>> A more common case is wanting the syscall parameters and that we
>>>> can do if you install auditd, and turn on syscall auditing with
>>>>
>>>> sudo auditctl -e 1
>>>>
>>>> then every apparmor reject is accompanied by a syscall entry in the
>>>> audit log. However after poking at it for a bit it doesn't seem
>>>> possible to get the EIP as part of the audit message.
>>>>
>>>> So if you need a custom patch, I can do that.
>>>
>>> A possible way to make this a bit more generic could extend the
>>> APPARMOR_ENFORCE, APPARMOR_COMPLAIN, APPARMOR_KILL profile flags to
>>> also include APPARMOR_CORE or APPARMOR_STOP that asks for a core
>>> dump or asks for SIGSTOP to be sent to the process. Either of these
>>> would make it easier to inspect a process that has violated policy
>>> at the moment the policy violation takes place.
>>>
>> That isn't a bad idea and is quite doable
>
> I would love to have SIGSTOP functionality. It would be perfect,
I forgot to mention in my last email, I have a patch for this (attached)
or would you prefer a pre-built Ubuntu kernel, and if so what version?
Currently its untested, and limited to being used as a global mode where
as root you can do
echo -n "stop" > /sys/module/apparmor/parameters/mode
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-AppArmor-refactor-profile-mode-macros.patch
Type: text/x-patch
Size: 1280 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120319/d821ab08/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Add-a-stop-mode-to-apparmor.patch
Type: text/x-patch
Size: 3499 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120319/d821ab08/attachment-0001.bin>
More information about the AppArmor
mailing list