[apparmor] Problem with audit rule modifier

John Johansen john.johansen at canonical.com
Sun Jun 30 10:36:01 UTC 2013


On 06/30/2013 02:56 AM, azurIt wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> i'm having problems with audit rule modifier - it's just not working when used alone. I'm trying to enable only logging with this:
>>>>>>> audit /home/** a,
>>>>>>> audit /home/** w,
>>>>>> By only logging you mean logging of an access but not granting permission?
>>>>>
>>>>>
>>>>> I mean logging of an access AND granting permission.
>>>>>
>>>> ok, I just wanted to be sure as we have had misunderstandings before around audit, with people expecting it to only change the auditing behavior and not grant permissions.
>>>>
>>>> ie. audit /** w,
>>>>
>>>> as a rule to catch any writes regardless of what other rules are. It would be a nice ability to have but the language doesn't allow specifying only the audit behavior like this atm.
>>>>
>>>>>
>>>>>>
>>>>>>>
>>>>>>> It should work according to documentation ( http://wiki.apparmor.net/index.php/QuickProfileLanguage#Rule_Modifiers ) but it's doing nothing. I was able to enable logging only with this running in complain mode:
>>>>>>> audit deny /home/**/*.php a,
>>>>>>> audit deny /home/**/*.php w,
>>>>>>>
>>>>>> these two rules where necessary to get logging in complain mode?
>>>>>
>>>>>
>>>>> Well, i just read in docs that 'w' implies also 'a', so only the second line is necessary. But yes, i had to use 'audit deny' for logging to work (and, as i want to NOT deny the action, i had to use complain mode).
>>>>>
>>>> Okay
>>>>
>>>>>
>>>>>>> Audit alone it not working. Is this a known bug? Thanks.
>>>>>>>
>>>>>> It is not known.
>>>>>>
>>>>>> Can you send us the full profile you are using?
>>>>>
>>>>>
>>>>> Here is the complete profile (i already removed that 'a' line and tested it):
>>>>>
>>>>> /usr/lib/apache2/mpm-itk/apache2 {
>>>>>         network,
>>>>>         capability,
>>>>>         file,
>>>>>         audit deny /home/**/*.php w,
>>>>> }
>>>>>
>>>>>
>>>>> As i said, i'm running this in complain mode because i don't want to deny the action on last line. I want to use apparmor only for logging access to files via PHP (i will be processing that log later).
>>>>>
>>>> Can you please provide the following information to help as diagnose the problem.
>>>>
>>>> Kernel version: use the command     uname -a
>>>> Parser version: use the command     apparmor_parser -v
>>>> State dump from the compiler:  use the command
>>>>  apparmor_parser -D dfa-states -QT profile_file 2>states_file
>>>>
>>>> Compiled output of your profile: use either of the following commands
>>>>  apparmor_parser -S profile_file  > output_file
>>>>  apparmor_parser -o output_file profile_file
>>>>
>>>> * the -o version may not work on older parsers.
>>>> * profile_name is the file name where your profile is stored
>>>> * states_file and out_file are just file that the output will be dumped in. So that you can attach them
>>>
>>> Kernel version: 3.2.47
>>> Parser version: 2.7.103 (it was the -V switch)
>> oops sorry
>>
>>> Client software are packages from Debian Wheezy running on Debian Squeeze. I'm using my own kernel patched with grsecurity.
>>>
>> Okay, is this kernel derived from Debian Wheezy, upstream, ubuntu?
> 
> 
> 
> It's vanilla kernel downloaded directly from kernel.org + grsecurity from grsecurity.org.
> 
> 
> 
> 
>>> Attaching 3 files from that 3 commands. Last two commands printed this warning (probably ok):
>>> Warning: found apache2 in /etc/apparmor.d/force-complain, forcing complain mode
>>>
>> yes that is fine, but thanks for the heads up
>>
>>> To avoid misunderstanding: I'm currently using this profile (in complain mode):
>>>
>>> /usr/lib/apache2/mpm-itk/apache2 {
>>>        network,
>>>        capability,
>>>        file,
>>>        audit deny /home/**/*.php w,
>>> }
>>>
>>>
>>>
>>> But i WANT to use this profile (not in complain mode):
>>> /usr/lib/apache2/mpm-itk/apache2 {
>>>        network,
>>>        capability,
>>>        file,
>>>        audit /home/**/*.php w,
>>> }
>>>
>>> Logging is working only in the first one so i'm forced to use it instead of second one. Hope i'm clear enough. Thank you.
>>>
>> Okay, the output of the compiler for the first one looks good, I still need to look at the kernel side (waiting for confirmation on the patchset there).
>>
>> Can you attach the same set of compiler out for the second profile (without the deny) so I can check it as well.
> 
thanks

so commit ade3ddc01e2e426cc24c744be85dcaad4e8f8aba which first showed up in v3.4 looks like it might fix this for you.

Also would you be interested in a backport version of apparmor to the 3.2 kernel? Basically we now have the current upstream v3.10 version backported to 3.2 as a drop in replacement (no abi changes, or touching the rest of the kernel tree). The 3.10 version has several bug fixes that are not present in the 3.2 kernel version.







More information about the AppArmor mailing list