[apparmor] Logging in AppArmor

John Johansen john.johansen at canonical.com
Tue Mar 2 01:13:18 UTC 2021 

On 3/1/21 6:31 AM, Indhuja A V S wrote:
> Hello,
> 
> While using aa-logprof (AppArmor version 2.13.4), there were few mentions of "audit[ID]:" and "kernel: audit:" for the same capability(dac_override) in journalctl. Could someone please let me know the difference between them? Why 2 lines are getting logged for dac_override alone?
> 

The AppArmor kernel module uses the audit subsystem to log the events it generates. The audit subsystem will add audit ids and, some other info. Eg straight out of dmeg (that is in a case with the audit subsystem dumping to dmesg)

[475351.057678] audit: type=1107 audit(1614589597.462:649): pid=9735 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" ...

everything before the apparmor="DENIED" is added by the audit subsytem. The why is its the formating they have chosen partly for easy of tool parsing and partly to make it easier for humans to pick certain things out.

contrast this with another message (same kernel, boot, etc), you see the same basic header but some info missing

[472222.249207] audit: type=1400 audit(1614586468.602:624): apparmor="ALLOWED" ...


so now to why you are getting 2 lines for dac_override alone. I don't know especially without seeing the messages but I can give you some possible reasons.

The messages are coming from different sources. Look at the audit type=XXX, if they are different this is the case. Even if they are the same they could be coming from components.

Are the messages identical? If not they could be for different tasks, or cred combinations.

Are there messages interleaved in between? AppArmor does not permanently cache capability denials. It will cache recent denials to prevent repeating the same message right away but there are events that can clear previously cached entries, resulting in multiple log messages that look the same. A good example for this is dac_override, an application can easily generate millions of these requests if it traversing a directory tree. It is not uncommon for the caching to cycle and to get a few similar messages out.

Another possibility (though not for dac_override) is aparmor does a cross check for permissions requests between tasks (eg. ipc). And you could get a log message from each task.



> Thanks and regards
> Indhuja
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> /Disclaimer: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient of this message , or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. Email transmission cannot be guaranteed to be secure or error-free, as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors, omissions or contaminations in the contents of this message which might have occurred as a result of email transmission. If verification is required, please request for a hard-copy version. /
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>

More information about the AppArmor mailing list