Bugzilla – Bug 546618
logprof/genprof don't work - changed audit.log format
Last modified: 2011-05-25 16:14:13 UTC
(using 11.2 M8 + packages from http://ftp.suse.com/pub/people/jeffm/suse/testpkgs/540525) logprof and genprof don't add anything to the profile - for me their behaviour looks as if they would read /dev/null instead of /var/log/audit/audit.log :-( # LANG=C aa-logprof Reading log entries from /var/log/audit/audit.log. Updating AppArmor profiles in /etc/apparmor.d. # (end) I _have_ several lines in audit.log that should cause logprof to ask what to do with these events. The same happens with genprof - it just creates a very small default profile, but does not ask about any of the entries in audit.log. I doubt logprof and genprof really read from /dev/null, so there must be something else. I just compared the audit.log from 11.1 and 11.2. Here are example lines for each: 11.1 type=APPARMOR_AUDIT msg=audit(1255458551.064:476442): operation="file_permission" requested_mask="::w" fsuid=30 name="/home/www/some.host/some.file" pid=2484 parent=20025 profile="/usr/sbin/httpd2-prefork//HANDLING_UNTRUSTED_INPUT" 11.2 type=APPARMOR_ALLOWED msg=audit(1255457955.497:218): operation="file_perm" pid=11537 parent=11536 profile="/home/sys-tmp/test//null-2d" requested_mask="r::" denied_mask="r::" fsuid=1000 ouid=1000 name="/home/sys-tmp/test2" -> the log format has changed! - different order (pid and parent are now after operation, requested_mask and denied_mask are now after profile, ouid added, ...) - different keywords for operation (file_permissions vs. file_perm, new(?) keyword "open", ...) - the //null-2d hat in the 11.2 log line looks also new to me - maybe other changes Please update logprof and genprof to understand the new log format. BTW: To verify this, I copied a audit.log from 11.1 to my 11.2 system - logprof started to ask the usual questions when given this log. So the bug here is really caused by the log format change.
Ok, new test packages for you. These include the fix from bnc#540525, though I suppose that's obvious since there wouldn't be a lot of testing to do with a genprof that crashed again. ;) http://ftp.suse.com/pub/people/jeffm/suse/testpkgs/546618
Thanks for the test packages. They fix at least read and write permissions, but execute permissions are still not seen by genprof and logprof. I'm generating a profile for this testscript: #!/bin/bash echo "Hello World!" > /tmp/hello.txt cat /tmp/hello.txt rm /tmp/hello.txt This is the resulting profile after a genprof run: (Note: I have a symlink /tmp -> /home/sys-tmp) #include <tunables/global> /home/cb/linuxtag/scripts/hello { #include <abstractions/base> #include <abstractions/bash> /bin/bash ix, owner /home/cb/linuxtag/scripts/hello r, owner /home/sys-tmp/hello.txt w, ^null-3d { #include <abstractions/base> owner /home/sys-tmp/hello.txt r, } ^null-3f { #include <abstractions/base> } } Issues with this profile: - no execute permissions for rm and cat - the null-* hats are strange and get different names with each run of the script. This means the audit.log is spammed and logprof will ask to create lots of hats (two per script run). It probably also means that the script will get a "permission denied" because of a missing ^null-$RANDOM hat - however I can't test this because of the missing execute permissions for cat and rm - no permissions for /dev/tty and /dev/pts/* (aka abstractions/consoles) This is how the profile should like (hand-written, doesn't cause any audit.log entries): #include <tunables/global> /home/cb/linuxtag/scripts/hello { #include <abstractions/base> #include <abstractions/bash> #include <abstractions/consoles> # added /bin/bash ix, /bin/cat ix, # added /bin/rm ix, # added owner /home/cb/linuxtag/scripts/hello r, owner /home/sys-tmp/hello.txt rw, # merged with permissions from hats # all null-* hats removed } To speedup testing, please consider to test genprof with my little testscript until you get a profile which doesn't cause audit.log entries anymore. Of course I'm willing to do more tests if needed, but I guess that testing with my script is faster than uploading test packages ;-)
*ping* Jeff, any news on the apparmor tools?
No, not yet. I thought I updated this report, but I must've closed my browser without saving. I'm able to reproduce the problem - with loads of those null subprofiles, but I haven't had time to track it down yet.
Update released for: libapparmor1 Products: openSUSE 11.2 (debug, i586, x86_64)
Jeff, any news on the apparmor tools?
Sorry, no. I'm pretty far behind on bug triage and kernel bugs.
Bump :D Sorry to pester you Jeff, but is there anything new regarding that subject?
This is still valid for 11.3 and 11.4.
I expect this to be fixed for 11.4 with the AppArmor 2.5 update. I'm still working out all the kinks on getting it to build from one package, as it needs libtool to link internally and Perl MakeMaker can be a pain to combine with it.
(In reply to comment #10) > I expect this to be fixed for 11.4 with the AppArmor 2.5 update. Good to hear this :-) BTW: The GPG key of the security:apparmor:factory repo is expired. You should be able to extend it with osc signkey --extend
Just FYI: I upgraded to the 2.5.1 packages [1] on my 11.3 system, and run genprof for the test script in comment #2. Good news: the resulting profile looks exactly as it should and it even works :-) I'm looking forward to have 2.5.1 in Factory, and I'd propose to release the new version as online update for 11.2 and 11.3. (Yes, I know version updates shouldn't happen via online update, but I think this one would be worth an exception.) [1] I updated only some apparmor packages for now. updated to 2.5: apparmor-utils, apparmor-parser, perl-apparmor, libapparmor1 still on 2.3: pam_apparmor, apparmor-profiles, pam_apparmor-32bit, libapparmor1-32bit, apparmor-docs
Ok, this is essentially fixed for factory -- but is still awaiting the package checkin. I'll revisit once that's done.
The package has been checked in and one more issue with logprof/genprof has been addressed. Closing as FIXED.
Verified, thanks for working on the AppArmor update! FYI: I opened bug 668311 to request a maintenance update for 11.3 (and maybe also 11.2, not sure if it has the same problem).
*** Bug 685833 has been marked as a duplicate of this bug. ***
This is an autogenerated message for OBS integration: This bug (546618) was mentioned in https://build.opensuse.org/request/show/66428 https://build.opensuse.org/request/show/66453
Update released for: apparmor-utils Products: openSUSE 11.2 (i586)
Update released for: apparmor-utils Products: openSUSE 11.3 (i586)
Update released for: apparmor-parser, apparmor-parser-debuginfo, apparmor-parser-debugsource, apparmor-profiles, apparmor-utils, libapparmor-devel, libapparmor1, libapparmor1-32bit, libapparmor1-debuginfo, libapparmor1-debuginfo-32bit, libapparmor1-debuginfo-x86, libapparmor1-debugsource, libapparmor1-x86, perl-libapparmor Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP1 (i386, x86_64) SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP1 (i386, x86_64)