[apparmor] Problem with audit rule modifier
John Johansen
john.johansen at canonical.com
Sun Jun 30 12:48:32 UTC 2013
On 06/30/2013 04:02 AM, azurIt wrote:
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> i'm having problems with audit rule modifier - it's just not working when used alone. I'm trying to enable only logging with this:
>>>>>>>>> audit /home/** a,
>>>>>>>>> audit /home/** w,
>>>>>>>> By only logging you mean logging of an access but not granting permission?
>>>>>>>
>>>>>>>
>>>>>>> I mean logging of an access AND granting permission.
>>>>>>>
>>>>>> ok, I just wanted to be sure as we have had misunderstandings before around audit, with people expecting it to only change the auditing behavior and not grant permissions.
>>>>>>
>>>>>> ie. audit /** w,
>>>>>>
>>>>>> as a rule to catch any writes regardless of what other rules are. It would be a nice ability to have but the language doesn't allow specifying only the audit behavior like this atm.
>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>> It should work according to documentation ( http://wiki.apparmor.net/index.php/QuickProfileLanguage#Rule_Modifiers ) but it's doing nothing. I was able to enable logging only with this running in complain mode:
>>>>>>>>> audit deny /home/**/*.php a,
>>>>>>>>> audit deny /home/**/*.php w,
>>>>>>>>>
>>>>>>>> these two rules where necessary to get logging in complain mode?
>>>>>>>
>>>>>>>
>>>>>>> Well, i just read in docs that 'w' implies also 'a', so only the second line is necessary. But yes, i had to use 'audit deny' for logging to work (and, as i want to NOT deny the action, i had to use complain mode).
>>>>>>>
>>>>>> Okay
>>>>>>
>>>>>>>
>>>>>>>>> Audit alone it not working. Is this a known bug? Thanks.
>>>>>>>>>
>>>>>>>> It is not known.
>>>>>>>>
>>>>>>>> Can you send us the full profile you are using?
>>>>>>>
>>>>>>>
>>>>>>> Here is the complete profile (i already removed that 'a' line and tested it):
>>>>>>>
>>>>>>> /usr/lib/apache2/mpm-itk/apache2 {
>>>>>>> network,
>>>>>>> capability,
>>>>>>> file,
>>>>>>> audit deny /home/**/*.php w,
>>>>>>> }
>>>>>>>
>>>>>>>
>>>>>>> As i said, i'm running this in complain mode because i don't want to deny the action on last line. I want to use apparmor only for logging access to files via PHP (i will be processing that log later).
>>>>>>>
>>>>>> Can you please provide the following information to help as diagnose the problem.
>>>>>>
>>>>>> Kernel version: use the command uname -a
>>>>>> Parser version: use the command apparmor_parser -v
>>>>>> State dump from the compiler: use the command
>>>>>> apparmor_parser -D dfa-states -QT profile_file 2>states_file
>>>>>>
>>>>>> Compiled output of your profile: use either of the following commands
>>>>>> apparmor_parser -S profile_file > output_file
>>>>>> apparmor_parser -o output_file profile_file
>>>>>>
>>>>>> * the -o version may not work on older parsers.
>>>>>> * profile_name is the file name where your profile is stored
>>>>>> * states_file and out_file are just file that the output will be dumped in. So that you can attach them
>>>>>
>>>>> Kernel version: 3.2.47
>>>>> Parser version: 2.7.103 (it was the -V switch)
>>>> oops sorry
>>>>
>>>>> Client software are packages from Debian Wheezy running on Debian Squeeze. I'm using my own kernel patched with grsecurity.
>>>>>
>>>> Okay, is this kernel derived from Debian Wheezy, upstream, ubuntu?
>>>
>>>
>>>
>>> It's vanilla kernel downloaded directly from kernel.org + grsecurity from grsecurity.org.
>>>
>>>
>>>
>>>
>>>>> Attaching 3 files from that 3 commands. Last two commands printed this warning (probably ok):
>>>>> Warning: found apache2 in /etc/apparmor.d/force-complain, forcing complain mode
>>>>>
>>>> yes that is fine, but thanks for the heads up
>>>>
>>>>> To avoid misunderstanding: I'm currently using this profile (in complain mode):
>>>>>
>>>>> /usr/lib/apache2/mpm-itk/apache2 {
>>>>> network,
>>>>> capability,
>>>>> file,
>>>>> audit deny /home/**/*.php w,
>>>>> }
>>>>>
>>>>>
>>>>>
>>>>> But i WANT to use this profile (not in complain mode):
>>>>> /usr/lib/apache2/mpm-itk/apache2 {
>>>>> network,
>>>>> capability,
>>>>> file,
>>>>> audit /home/**/*.php w,
>>>>> }
>>>>>
>>>>> Logging is working only in the first one so i'm forced to use it instead of second one. Hope i'm clear enough. Thank you.
>>>>>
>>>> Okay, the output of the compiler for the first one looks good, I still need to look at the kernel side (waiting for confirmation on the patchset there).
>>>>
>>>> Can you attach the same set of compiler out for the second profile (without the deny) so I can check it as well.
>>>
>> thanks
>>
>> so commit ade3ddc01e2e426cc24c744be85dcaad4e8f8aba which first showed up in v3.4 looks like it might fix this for you.
>>
>> Also would you be interested in a backport version of apparmor to the 3.2 kernel? Basically we now have the current upstream v3.10 version backported to 3.2 as a drop in replacement (no abi changes, or touching the rest of the kernel tree). The 3.10 version has several bug fixes that are not present in the 3.2 kernel version.
>
>
> This would be really cool if you'll be so kind :) I cannot move out from 3.2 yet because of grsecurity (stable version is currently for 3.2). Thank you!
>
there is a v3.2-backport-of-v3.10-apparmor branch at
git://kernel.ubuntu.com/jj/ubuntu-saucy.git v3.2-backport-of-v3.10-apparmor
its done as a copy of of v3.10 kernel apparmor into v3.2 (first patch) and
then the series of patches needed to make it work on 3.2.
specifically you want
The following changes since commit 877fcbee0f25072e41e3e7ce3210951ca6d40a10:
Linux 3.2 (2013-06-30 05:22:04 -0700)
are available in the git repository at:
git://kernel.ubuntu.com/jj/ubuntu-saucy.git v3.2-backport-of-v3.10-apparmor
for you to fetch changes up to 958b96ce2184a526dd83b7725d498acc5f99425c:
UBUNTU: SAUCE: apparmor: 3.2 backport revert umode_t in chmode 910f4ece (2013-06-30 05:22:20 -0700)
----------------------------------------------------------------
John Johansen (19):
UBUNTU: SAUCE: apparmor: 3.2 backport. sync to Linux 3.10 apparmor
UBUNTU: SAUCE: apparmor 3.2 backport of audit macro changes
UBUNTU: SAUCE: apparmor: 3.8 backport provide file_inode helper 496ad9aa
UBUNTU: SAUCE: apparmor: 3.6 backport revert uapi for capnames 43c422ed
UBUNTU: SAUCE: apparmor: 3.6 backport revert uapi for resnames 8a1ab315
UBUNTU: SAUCE: apparmor: 3.6 backport define kuid_t d2b31ca64
UBUNTU: SAUCE: apparmor: 3.6 backport kuid_t support for audit 2db81452
UBUNTU: SAUCE: apparmor: 3.4 backport revert file_mmap e5467859
UBUNTU: SAUCE: apparmor: 3.4 backport cap_mmap_addr d007794a
UBUNTU: SAUCE: apparmor: 3.4 backport fake no_new_privs 259e5e6c
UBUNTU: SAUCE: apparmor: 3.4 backport revert task audi_data 0972c74e
UBUNTU: SAUCE: apparmor: 3.4 backport alias file_open 83d49856
UBUNTU: SAUCE: apparmor: 3.3 backport audit-pre/post callback b61c37f5
UBUNTU: SAUCE: apparmor: 3.3 backport external audit data 3b3b0e4f
UBUNTU: SAUCE: apparmor: 3.2 backport revert path in chmod cdcf116d4
UBUNTU: SAUCE: apparmor: 3.2 backport revert to task in cap 6a9de491
UBUNTU: SAUCE: apparmor: 3.2 backport revert umode_t in mknod 04fc66e7
UBUNTU: SAUCE: apparmor: 3.2 backport revert umode_t in mkdir 4572befe
UBUNTU: SAUCE: apparmor: 3.2 backport revert umode_t in chmode 910f4ece
security/apparmor/.gitignore | 1 -
security/apparmor/Makefile | 27 +++--
security/apparmor/apparmorfs.c | 195 ++++++++++++++++++++++++++-------
security/apparmor/audit.c | 50 +++++----
security/apparmor/capability.c | 10 +-
security/apparmor/domain.c | 51 +++++++--
security/apparmor/file.c | 93 ++++++++--------
security/apparmor/include/apparmor.h | 26 ++++-
security/apparmor/include/apparmorfs.h | 44 ++++++++
security/apparmor/include/audit.h | 45 ++++++--
security/apparmor/include/backport.h | 62 +++++++++++
security/apparmor/include/file.h | 6 +-
security/apparmor/include/match.h | 3 +
security/apparmor/include/path.h | 3 +-
security/apparmor/include/policy.h | 15 ++-
security/apparmor/include/resource.h | 4 +
security/apparmor/ipc.c | 12 +-
security/apparmor/lib.c | 6 +-
security/apparmor/lsm.c | 42 +++----
security/apparmor/match.c | 80 +++++++++++++-
security/apparmor/path.c | 59 ++++++----
security/apparmor/policy.c | 45 ++++++--
security/apparmor/policy_unpack.c | 51 +++++++--
security/apparmor/resource.c | 19 +++-
24 files changed, 720 insertions(+), 229 deletions(-)
create mode 100644 security/apparmor/include/backport.h
> azur
>
More information about the AppArmor
mailing list