[apparmor] Linked profiles in complain mode

[Seth Arnold]

On Tue, Jul 26, 2016 at 12:50:38PM +0100, Mark Wadham wrote:
> aa-status shows:
> 
> 9 profiles are in complain mode.
>    /usr/sbin/exim4//null-/usr/lib/dovecot/dovecot-lda
> /usr/sbin/exim4//null-/usr/lib/dovecot/dovecot-lda//null-/usr/bin/doveconf
> /usr/sbin/exim4//null-/usr/lib/dovecot/dovecot-lda//null-/usr/bin/doveconf//null-/usr/lib/dovecot/dovecot-lda
>    /usr/sbin/exim4//null-/usr/sbin/exim4
> /usr/sbin/exim4//null-/usr/sbin/exim4//null-/usr/lib/dovecot/dovecot-lda
> /usr/sbin/exim4//null-/usr/sbin/exim4//null-/usr/lib/dovecot/dovecot-lda//null-/usr/bin/doveconf
> /usr/sbin/exim4//null-/usr/sbin/exim4//null-/usr/lib/dovecot/dovecot-lda//null-/usr/bin/doveconf//null-/usr/lib/dovecot/dovecot-lda
>    /usr/sbin/exim4//null-/usr/sbin/exim4//null-/usr/sbin/exim4
> /usr/sbin/exim4//null-/usr/sbin/exim4//null-/usr/sbin/exim4//null-/usr/sbin/exim4
> 
> 
> What are these and how can I set them to enforce mode?  Do I have to create
> links in the various profiles in order to link them to the child things
> they're calling or something like that?

Hi Mark,

These //null- profiles are created automatically by the AppArmor mechanism
in the kernel when using complain mode profiles. Every new execve() gets
one of these, and the name indicates the path of executions that was
taken. The longest one:

> /usr/sbin/exim4//null-/usr/sbin/exim4//null-/usr/lib/dovecot/dovecot-lda//null-/usr/bin/doveconf//null-/usr/lib/dovecot/dovecot-lda

This shows exim4 launched exim4, which launched dovecot-lda, which
launched doveconf, which launched dovecot-lda.

These more complicated profiles are automatically generated and all
accesses by those processes are emitted with these profiles, so that
aa-logprof and aa-genprof can reconstruct the series of accesses used,
and offer you the choice to 'inherit' or 'child' or 'px' or 'unconfined'
for that execution and properly attribute these accesses to your choice
of profiles.

(Sorry for the run-on sentence.)

I'm surprised that they survived as long as they have, but we've seen this
happen from time to time. As the tools improve this should happen less
frequently.

Your next steps should probably be:

- Inspect the exim4 profile and make sure that it has proper ix/cx/px etc
  rules for exim4 and dovecot-lda
- Inspect the dovecot-lda profile and make sure that it has the proper
  ix/cx/px rules for doveconf and dovecot-lda
- Inspect the doveconf profile and make sure that it has the proper
  ix/cx/px rules for dovecot-lda
- Unload these profiles by hand:

echo '/usr/sbin/exim4//null-/usr/lib/dovecot/dovecot-lda {}' | apparmor_parser --remove
echo '/usr/sbin/exim4//null-/usr/lib/dovecot/dovecot-lda//null-/usr/bin/doveconf {}' | apparmor_parser --remove
echo '/usr/sbin/exim4//null-/usr/lib/dovecot/dovecot-lda//null-/usr/bin/doveconf//null-/usr/lib/dovecot/dovecot-lda' | apparmor_parser --remove
echo '/usr/sbin/exim4//null-/usr/sbin/exim4' | apparmor_parser --remove
echo '/usr/sbin/exim4//null-/usr/sbin/exim4//null-/usr/lib/dovecot/dovecot-lda' | apparmor_parser --remove
echo '/usr/sbin/exim4//null-/usr/sbin/exim4//null-/usr/lib/dovecot/dovecot-lda//null-/usr/bin/doveconf' | apparmor_parser --remove
echo '/usr/sbin/exim4//null-/usr/sbin/exim4//null-/usr/lib/dovecot/dovecot-lda//null-/usr/bin/doveconf//null-/usr/lib/dovecot/dovecot-lda' | apparmor_parser --remove
echo '/usr/sbin/exim4//null-/usr/sbin/exim4//null-/usr/sbin/exim4' | apparmor_parser --remove
echo '/usr/sbin/exim4//null-/usr/sbin/exim4//null-/usr/sbin/exim4//null-/usr/sbin/exim4' | apparmor_parser --remove

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160726/dd1bcd34/attachment.pgp>