[apparmor] Problem with audit rule modifier

azurIt azurit at pobox.sk
Mon Jul 1 09:15:36 UTC 2013 

>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>
>>>>>>>>>>>>> i'm having problems with audit rule modifier - it's just not working when used alone. I'm trying to enable only logging with this:
>>>>>>>>>>>>> audit /home/** a,
>>>>>>>>>>>>> audit /home/** w,
>>>>>>>>>>>> By only logging you mean logging of an access but not granting permission?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I mean logging of an access AND granting permission.
>>>>>>>>>>>
>>>>>>>>>> ok, I just wanted to be sure as we have had misunderstandings before around audit, with people expecting it to only change the auditing behavior and not grant permissions.
>>>>>>>>>>
>>>>>>>>>> ie. audit /** w,
>>>>>>>>>>
>>>>>>>>>> as a rule to catch any writes regardless of what other rules are. It would be a nice ability to have but the language doesn't allow specifying only the audit behavior like this atm.
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> It should work according to documentation ( http://wiki.apparmor.net/index.php/QuickProfileLanguage#Rule_Modifiers ) but it's doing nothing. I was able to enable logging only with this running in complain mode:
>>>>>>>>>>>>> audit deny /home/**/*.php a,
>>>>>>>>>>>>> audit deny /home/**/*.php w,
>>>>>>>>>>>>>
>>>>>>>>>>>> these two rules where necessary to get logging in complain mode?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Well, i just read in docs that 'w' implies also 'a', so only the second line is necessary. But yes, i had to use 'audit deny' for logging to work (and, as i want to NOT deny the action, i had to use complain mode).
>>>>>>>>>>>
>>>>>>>>>> Okay
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>> Audit alone it not working. Is this a known bug? Thanks.
>>>>>>>>>>>>>
>>>>>>>>>>>> It is not known.
>>>>>>>>>>>>
>>>>>>>>>>>> Can you send us the full profile you are using?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Here is the complete profile (i already removed that 'a' line and tested it):
>>>>>>>>>>>
>>>>>>>>>>> /usr/lib/apache2/mpm-itk/apache2 {
>>>>>>>>>>>         network,
>>>>>>>>>>>         capability,
>>>>>>>>>>>         file,
>>>>>>>>>>>         audit deny /home/**/*.php w,
>>>>>>>>>>> }
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> As i said, i'm running this in complain mode because i don't want to deny the action on last line. I want to use apparmor only for logging access to files via PHP (i will be processing that log later).
>>>>>>>>>>>
>>>>>>>>>> Can you please provide the following information to help as diagnose the problem.
>>>>>>>>>>
>>>>>>>>>> Kernel version: use the command     uname -a
>>>>>>>>>> Parser version: use the command     apparmor_parser -v
>>>>>>>>>> State dump from the compiler:  use the command
>>>>>>>>>>  apparmor_parser -D dfa-states -QT profile_file 2>states_file
>>>>>>>>>>
>>>>>>>>>> Compiled output of your profile: use either of the following commands
>>>>>>>>>>  apparmor_parser -S profile_file  > output_file
>>>>>>>>>>  apparmor_parser -o output_file profile_file
>>>>>>>>>>
>>>>>>>>>> * the -o version may not work on older parsers.
>>>>>>>>>> * profile_name is the file name where your profile is stored
>>>>>>>>>> * states_file and out_file are just file that the output will be dumped in. So that you can attach them
>>>>>>>>>
>>>>>>>>> Kernel version: 3.2.47
>>>>>>>>> Parser version: 2.7.103 (it was the -V switch)
>>>>>>>> oops sorry
>>>>>>>>
>>>>>>>>> Client software are packages from Debian Wheezy running on Debian Squeeze. I'm using my own kernel patched with grsecurity.
>>>>>>>>>
>>>>>>>> Okay, is this kernel derived from Debian Wheezy, upstream, ubuntu?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> It's vanilla kernel downloaded directly from kernel.org + grsecurity from grsecurity.org.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>> Attaching 3 files from that 3 commands. Last two commands printed this warning (probably ok):
>>>>>>>>> Warning: found apache2 in /etc/apparmor.d/force-complain, forcing complain mode
>>>>>>>>>
>>>>>>>> yes that is fine, but thanks for the heads up
>>>>>>>>
>>>>>>>>> To avoid misunderstanding: I'm currently using this profile (in complain mode):
>>>>>>>>>
>>>>>>>>> /usr/lib/apache2/mpm-itk/apache2 {
>>>>>>>>>        network,
>>>>>>>>>        capability,
>>>>>>>>>        file,
>>>>>>>>>        audit deny /home/**/*.php w,
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> But i WANT to use this profile (not in complain mode):
>>>>>>>>> /usr/lib/apache2/mpm-itk/apache2 {
>>>>>>>>>        network,
>>>>>>>>>        capability,
>>>>>>>>>        file,
>>>>>>>>>        audit /home/**/*.php w,
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> Logging is working only in the first one so i'm forced to use it instead of second one. Hope i'm clear enough. Thank you.
>>>>>>>>>
>>>>>>>> Okay, the output of the compiler for the first one looks good, I still need to look at the kernel side (waiting for confirmation on the patchset there).
>>>>>>>>
>>>>>>>> Can you attach the same set of compiler out for the second profile (without the deny) so I can check it as well.
>>>>>>>
>>>>>> thanks
>>>>>>
>>>>>> so commit ade3ddc01e2e426cc24c744be85dcaad4e8f8aba which first showed up in v3.4 looks like it might fix this for you.
>>>>>>
>>>>>> Also would you be interested in a backport version of apparmor to the 3.2 kernel? Basically we now have the current upstream v3.10 version backported to 3.2 as a drop in replacement (no abi changes, or touching the rest of the kernel tree). The 3.10 version has several bug fixes that are not present in the 3.2 kernel version.
>>>>>
>>>>>
>>>>> This would be really cool if you'll be so kind :) I cannot move out from 3.2 yet because of grsecurity (stable version is currently for 3.2). Thank you!
>>>>>
>>>> there is a v3.2-backport-of-v3.10-apparmor branch at
>>>> git://kernel.ubuntu.com/jj/ubuntu-saucy.git v3.2-backport-of-v3.10-apparmor
>>>>
>>>> its done as a copy of of v3.10 kernel apparmor into v3.2 (first patch) and
>>>> then the series of patches needed to make it work on 3.2.
>>>>
>>>>
>>>> specifically you want
>>>> The following changes since commit 877fcbee0f25072e41e3e7ce3210951ca6d40a10:
>>>>
>>>>  Linux 3.2 (2013-06-30 05:22:04 -0700)
>>>>
>>>> are available in the git repository at:
>>>>
>>>>  git://kernel.ubuntu.com/jj/ubuntu-saucy.git v3.2-backport-of-v3.10-apparmor
>>>>
>>>> for you to fetch changes up to 958b96ce2184a526dd83b7725d498acc5f99425c:
>>>>
>>>>  UBUNTU: SAUCE: apparmor: 3.2 backport revert umode_t in chmode 910f4ece (2013-06-30 05:22:20 -0700)
>>>
>>>
>>> Sorry, i'm not very experienced with git. I downloaded that branch by:
>>> git clone -b v3.2-backport-of-v3.10-apparmor git://kernel.ubuntu.com/jj/ubuntu-saucy.git
>>>
>>> but don't know what to do next - how can i 'filter' commits from '877fcbee0f25072e41e3e7ce3210951ca6d40a10' to '958b96ce2184a526dd83b7725d498acc5f99425c'?
>>>
>> you can dump out the patches by changing into the git trees directory and then doing
>> 
>>   git format-patch 877fcbee0f25072e41e3e7ce3210951ca6d40a10..958b96ce2184a526dd83b7725d498acc5f99425c -o patches/
>> 
>> the patches directory can be named anything you want and has to be created before the git command, if you leave off the -o patches bit will dump the series into your cwd directory which can be a bit of a mess since its 19 patches here.
>> 
>> Each of the patches will start with a number 0001-, 0002-, ... in the order they are supposed to be supplied



Thank you.



>One more thing I forgot to add. This is a pure upstream backport and doesn't have
>the compatibility or networking patches in it. These patches should apply if not,
>let me know and it shouldn't take long to get them to apply.


Compatibility patches were integrated directly into 3.2 kernel (from 3.2.47), are you sure they won't be part of these new patches? Anyway, if it's not a big deal for you, it would be very nice to have everything what is available. Thank you.

azur

More information about the AppArmor mailing list