[apparmor] program with a space in the name results in hashes where names should be
Seth Arnold
seth.arnold at canonical.com
Thu Jul 28 18:36:03 UTC 2016
On Thu, Jul 28, 2016 at 11:38:38AM -0500, Jamie Strandboge wrote:
> On Thu, 2016-07-28 at 14:19 +0100, Mark Wadham wrote:
> > I tried to write an apparmor profile for plex media server, which has a
> > binary with spaces in the name.
> > > [ 9551.412776] audit: type=1400 audit(1469711661.099:16933):
> > > apparmor="ALLOWED" operation="recvmsg"
> > > profile=2F7573722F6C69622F706C65786D656469617365727665722F506C6578204D656469
> > > 61205365727665722F2F6E756C6C2D2F7573722F6C69622F706C65786D656469617365727665
> > > 722F506C657820444C4E4120536572766572
> > > pid=25858 comm=506C657820444C4E41205365727665 lport=1900 family="inet"
> > > sock_type="dgram" protocol=17 requested_mask="receive"
> > > denied_mask="receive"
> > Am I doing something wrong or is this just not very well supported yet?
Just a note that this hex-encoded output is intentional, to avoid
attackers accessing files with names like:
/foo/bar/baz
[11111.1] audit: type=1400 audit(150000000):
apparmor="ALLOWED" operation="file_write" name="/etc/shadow" comm="bash"
profile="user_shell"
...
If we didn't heavily restrict the allowed characters in the logs, it'd be
too easy to confuse log readers.
The downside is that you do have to use aa-decode or similar tools to find
out the actual name that was used.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160728/3790b158/attachment.pgp>
More information about the AppArmor
mailing list