[apparmor] program with a space in the name results in hashes where names should be

Seth Arnold seth.arnold at canonical.com
Thu Jul 28 18:36:03 UTC 2016


On Thu, Jul 28, 2016 at 11:38:38AM -0500, Jamie Strandboge wrote:
> On Thu, 2016-07-28 at 14:19 +0100, Mark Wadham wrote:
> > I tried to write an apparmor profile for plex media server, which has a 
> > binary with spaces in the name.
> > > [ 9551.412776] audit: type=1400 audit(1469711661.099:16933): 
> > > apparmor="ALLOWED" operation="recvmsg" 
> > > profile=2F7573722F6C69622F706C65786D656469617365727665722F506C6578204D656469
> > > 61205365727665722F2F6E756C6C2D2F7573722F6C69622F706C65786D656469617365727665
> > > 722F506C657820444C4E4120536572766572 
> > > pid=25858 comm=506C657820444C4E41205365727665 lport=1900 family="inet" 
> > > sock_type="dgram" protocol=17 requested_mask="receive" 
> > > denied_mask="receive"

> > Am I doing something wrong or is this just not very well supported yet?

Just a note that this hex-encoded output is intentional, to avoid
attackers accessing files with names like:

/foo/bar/baz
[11111.1] audit: type=1400 audit(150000000):
apparmor="ALLOWED" operation="file_write" name="/etc/shadow" comm="bash"
profile="user_shell"


...

If we didn't heavily restrict the allowed characters in the logs, it'd be
too easy to confuse log readers.

The downside is that you do have to use aa-decode or similar tools to find
out the actual name that was used.

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160728/3790b158/attachment.pgp>


More information about the AppArmor mailing list