[apparmor] Possible to record userland EIP/RIP (instruction pointer) in audit logs?

Tue Mar 20 17:18:07 UTC 2012

On 03/19/2012 01:43 AM, Number Six wrote:
> On Wed, Mar 14, 2012, at 06:47 PM, John Johansen wrote:
> 
Urg sorry I thought I sent this days ago, but its window turned up
behind, some other things :/

>>>>>>> I am dealing with a possible exploit that seems to irregularly
>>>>>>> attempt to execute a series of suspicious system calls, and I'd
>>>>>>> like to try to dive in with gdb to see what is really going on.
>>>
>>>> A more common case is wanting the syscall parameters and that we
>>>> can do if you install auditd, and turn on syscall auditing with
>>>>
>>>>  sudo auditctl -e 1
>>>>
>>>> then every apparmor reject is accompanied by a syscall entry in the
>>>> audit log.  However after poking at it for a bit it doesn't seem
>>>> possible to get the EIP as part of the audit message.
>>>>
>>>> So if you need a custom patch, I can do that.
>>>
>>> A possible way to make this a bit more generic could extend the
>>> APPARMOR_ENFORCE, APPARMOR_COMPLAIN, APPARMOR_KILL profile flags to
>>> also include APPARMOR_CORE or APPARMOR_STOP that asks for a core
>>> dump or asks for SIGSTOP to be sent to the process. Either of these
>>> would make it easier to inspect a process that has violated policy
>>> at the moment the policy violation takes place.
>>>
>> That isn't a bad idea and is quite doable
> 
> I would love to have SIGSTOP functionality. It would be perfect,
> actually. Then I can catch the bastard live in gdb without messing
> around with guessing breakpoints/setting watchpoints. Also, the syscall
> violations in this particular exploit suspect come in a series, and I'd
> like to inspect program state at each syscall violation. So SIGSTOP is
> waaay better than just a core.
> 
> Happy to test out a patch. Would it require a custom kernel build? I am
Yes

> comfortable doing that, but would be more comfortable if there were good
> instructions for building everything I need for Ubuntu. Is that
> available anywhere, by chance?
> 
If its an Ubuntu kernel, I am set up to build them so I can provide them
if you want.  However if you want instructions, the Ubuntu kernel team
has a wiki

https://wiki.ubuntu.com/Kernel/Dev

with this link in particular being worth looking at
https://wiki.ubuntu.com/Kernel/BuildYourOwnKernel

> 
> Incidentally, which version of apparmor do I need to get the ip address
> granularity for network rule statements as defined in
> http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Note:_about_AppArmor_2.3_-_2.6_network_rules
> ?
> 
> I would also very much love to be able to write 'network tcp dst
> 127.0.0.1', for example.
> 

Sadly they haven't happened yet. There was plans to get them out for
AppArmor 2.7 (last release) but it didn't happen.  And it won't for
2.8 either.

It should happen for the planned 3.0 release and if you are interested
in running a pre-alpha kernel and parser, parts of this could be played
with, but its not something I would recommend trying just yet.