[apparmor] rkhunter profile oddities

John Johansen john.johansen at canonical.com
Thu Jul 16 21:51:24 UTC 2020 

On 7/16/20 12:36 PM, mailinglisten at posteo.de wrote:
> Hi there!
> 
> I created a very simple profile to confine rkhunter (version numbers below).
> 
> This profile contains /** r,  to be sure, everything can be read by
> rkhunter.
> 
> Despite using /** r,  I get plenty of these error messages:
> 
> Profile: /usr/bin/rkhunter
> Operation: getattr
> Name: usr/sbin/ModemManager
> Denied: r
> Logfile: /var/log/audit/audit.log
> (3 found, most recent from 'Thu Jul 16 19:51:22 2020')
> 
> Profile: /usr/bin/rkhunter
> Operation: getattr
> Name: usr/sbin/NetworkManager
> Denied: r
> Logfile: /var/log/audit/audit.log
> (3 found, most recent from 'Thu Jul 16 19:51:22 2020')
> 
> What you can see, at "Name" there is the slash missing, it should be
> Name: /usr/sbin/ModemManager
> Name: /usr/sbin/NetworkManager
> 
> Instead, as you can see, apparmor reports:
> 
> Name: usr/sbin/ModemManager
> Name: usr/sbin/NetworkManager
> 
> 
> Is this probably an error in rkhunter and not in apparmor?
> My guess is, rkhunter tries to access files like
> 
> usr/sbin/ModemManager
> usr/sbin/NetworkManager
> usr/lib/upower/upowerd
> usr/lib/bluetooth/bluetoothd
> 
> without the leading slash.
> 
this indicates the object/file is disconnected from the tasks mount namespace.

These objects/files could not be opened by the task and where either inherited, passed in via fd passing over unix sockets, or opened before the task changed its mount namespace.

AppArmor does not deal with these objects/files well atm. There are long terms plans but the fixes will take a while to land.

Atm the only way to deal with them is add the profile flag 'attached_disconnected' to the profile. Warning this is a hack and does reduce profile security.

profile example flags=(attach_disconnected) {..}

this will attach these files to the tasks namespace by adding a leading '/' character.

In the near term you will be able to to control what gets prepended by attach_disconnected but the real fixes are still at least 6-12 months out.


> What do you think, broken rkhunter, forgetting the leading slash?
its not rkhunter, its the kernel and it is deliberate


> 
> Versions used:
> apparmor-parser, apparmor-utils  2.13.4
> Kernel 5.7.7
> rkhunter 1.4.6
> 
> Thanks!
> 
>

More information about the AppArmor mailing list