[apparmor] Problem with audit rule modifier

John Johansen john.johansen at canonical.com
Sun Jun 30 22:25:03 UTC 2013 

On 06/30/2013 06:44 AM, azurIt wrote:
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> i'm having problems with audit rule modifier - it's just not working when used alone. I'm trying to enable only logging with this:
>>>>>>>>>>> audit /home/** a,
>>>>>>>>>>> audit /home/** w,
>>>>>>>>>> By only logging you mean logging of an access but not granting permission?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I mean logging of an access AND granting permission.
>>>>>>>>>
>>>>>>>> ok, I just wanted to be sure as we have had misunderstandings before around audit, with people expecting it to only change the auditing behavior and not grant permissions.
>>>>>>>>
>>>>>>>> ie. audit /** w,
>>>>>>>>
>>>>>>>> as a rule to catch any writes regardless of what other rules are. It would be a nice ability to have but the language doesn't allow specifying only the audit behavior like this atm.
>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> It should work according to documentation ( http://wiki.apparmor.net/index.php/QuickProfileLanguage#Rule_Modifiers ) but it's doing nothing. I was able to enable logging only with this running in complain mode:
>>>>>>>>>>> audit deny /home/**/*.php a,
>>>>>>>>>>> audit deny /home/**/*.php w,
>>>>>>>>>>>
>>>>>>>>>> these two rules where necessary to get logging in complain mode?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Well, i just read in docs that 'w' implies also 'a', so only the second line is necessary. But yes, i had to use 'audit deny' for logging to work (and, as i want to NOT deny the action, i had to use complain mode).
>>>>>>>>>
>>>>>>>> Okay
>>>>>>>>
>>>>>>>>>
>>>>>>>>>>> Audit alone it not working. Is this a known bug? Thanks.
>>>>>>>>>>>
>>>>>>>>>> It is not known.
>>>>>>>>>>
>>>>>>>>>> Can you send us the full profile you are using?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Here is the complete profile (i already removed that 'a' line and tested it):
>>>>>>>>>
>>>>>>>>> /usr/lib/apache2/mpm-itk/apache2 {
>>>>>>>>>         network,
>>>>>>>>>         capability,
>>>>>>>>>         file,
>>>>>>>>>         audit deny /home/**/*.php w,
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> As i said, i'm running this in complain mode because i don't want to deny the action on last line. I want to use apparmor only for logging access to files via PHP (i will be processing that log later).
>>>>>>>>>
>>>>>>>> Can you please provide the following information to help as diagnose the problem.
>>>>>>>>
>>>>>>>> Kernel version: use the command     uname -a
>>>>>>>> Parser version: use the command     apparmor_parser -v
>>>>>>>> State dump from the compiler:  use the command
>>>>>>>>  apparmor_parser -D dfa-states -QT profile_file 2>states_file
>>>>>>>>
>>>>>>>> Compiled output of your profile: use either of the following commands
>>>>>>>>  apparmor_parser -S profile_file  > output_file
>>>>>>>>  apparmor_parser -o output_file profile_file
>>>>>>>>
>>>>>>>> * the -o version may not work on older parsers.
>>>>>>>> * profile_name is the file name where your profile is stored
>>>>>>>> * states_file and out_file are just file that the output will be dumped in. So that you can attach them
>>>>>>>
>>>>>>> Kernel version: 3.2.47
>>>>>>> Parser version: 2.7.103 (it was the -V switch)
>>>>>> oops sorry
>>>>>>
>>>>>>> Client software are packages from Debian Wheezy running on Debian Squeeze. I'm using my own kernel patched with grsecurity.
>>>>>>>
>>>>>> Okay, is this kernel derived from Debian Wheezy, upstream, ubuntu?
>>>>>
>>>>>
>>>>>
>>>>> It's vanilla kernel downloaded directly from kernel.org + grsecurity from grsecurity.org.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>> Attaching 3 files from that 3 commands. Last two commands printed this warning (probably ok):
>>>>>>> Warning: found apache2 in /etc/apparmor.d/force-complain, forcing complain mode
>>>>>>>
>>>>>> yes that is fine, but thanks for the heads up
>>>>>>
>>>>>>> To avoid misunderstanding: I'm currently using this profile (in complain mode):
>>>>>>>
>>>>>>> /usr/lib/apache2/mpm-itk/apache2 {
>>>>>>>        network,
>>>>>>>        capability,
>>>>>>>        file,
>>>>>>>        audit deny /home/**/*.php w,
>>>>>>> }
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> But i WANT to use this profile (not in complain mode):
>>>>>>> /usr/lib/apache2/mpm-itk/apache2 {
>>>>>>>        network,
>>>>>>>        capability,
>>>>>>>        file,
>>>>>>>        audit /home/**/*.php w,
>>>>>>> }
>>>>>>>
>>>>>>> Logging is working only in the first one so i'm forced to use it instead of second one. Hope i'm clear enough. Thank you.
>>>>>>>
>>>>>> Okay, the output of the compiler for the first one looks good, I still need to look at the kernel side (waiting for confirmation on the patchset there).
>>>>>>
>>>>>> Can you attach the same set of compiler out for the second profile (without the deny) so I can check it as well.
>>>>>
>>>> thanks
>>>>
>>>> so commit ade3ddc01e2e426cc24c744be85dcaad4e8f8aba which first showed up in v3.4 looks like it might fix this for you.
>>>>
>>>> Also would you be interested in a backport version of apparmor to the 3.2 kernel? Basically we now have the current upstream v3.10 version backported to 3.2 as a drop in replacement (no abi changes, or touching the rest of the kernel tree). The 3.10 version has several bug fixes that are not present in the 3.2 kernel version.
>>>
>>>
>>> This would be really cool if you'll be so kind :) I cannot move out from 3.2 yet because of grsecurity (stable version is currently for 3.2). Thank you!
>>>
>> there is a v3.2-backport-of-v3.10-apparmor branch at
>> git://kernel.ubuntu.com/jj/ubuntu-saucy.git v3.2-backport-of-v3.10-apparmor
>>
>> its done as a copy of of v3.10 kernel apparmor into v3.2 (first patch) and
>> then the series of patches needed to make it work on 3.2.
>>
>>
>> specifically you want
>> The following changes since commit 877fcbee0f25072e41e3e7ce3210951ca6d40a10:
>>
>>  Linux 3.2 (2013-06-30 05:22:04 -0700)
>>
>> are available in the git repository at:
>>
>>  git://kernel.ubuntu.com/jj/ubuntu-saucy.git v3.2-backport-of-v3.10-apparmor
>>
>> for you to fetch changes up to 958b96ce2184a526dd83b7725d498acc5f99425c:
>>
>>  UBUNTU: SAUCE: apparmor: 3.2 backport revert umode_t in chmode 910f4ece (2013-06-30 05:22:20 -0700)
> 
> 
> Sorry, i'm not very experienced with git. I downloaded that branch by:
> git clone -b v3.2-backport-of-v3.10-apparmor git://kernel.ubuntu.com/jj/ubuntu-saucy.git
> 
> but don't know what to do next - how can i 'filter' commits from '877fcbee0f25072e41e3e7ce3210951ca6d40a10' to '958b96ce2184a526dd83b7725d498acc5f99425c'?
> 
you can dump out the patches by changing into the git trees directory and then doing

  git format-patch 877fcbee0f25072e41e3e7ce3210951ca6d40a10..958b96ce2184a526dd83b7725d498acc5f99425c -o patches/

the patches directory can be named anything you want and has to be created before the git command, if you leave off the -o patches bit will dump the series into your cwd directory which can be a bit of a mess since its 19 patches here.

Each of the patches will start with a number 0001-, 0002-, ... in the order they are supposed to be supplied

More information about the AppArmor mailing list