kernel-packages team mailing list archive

Thread
Date
[Bug 1545776] Re: 14.04 kernel does not log exec properly and aa-logprof fails

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Peter Maloney <1545776@xxxxxxxxxxxxxxxxxx>
Date: Tue, 16 Feb 2016 13:13:10 -0000
Reply-to: Bug 1545776 <1545776@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
btw, not sure why I was using 3.13.0-32 before... I also tested it with
the latest, with same result

# uname -a
Linux apparmortest 3.13.0-77-generic #121-Ubuntu SMP Wed Jan 20 10:50:42 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

# tail -f /var/log/audit.log
[...]
type=AVC msg=audit(1455628235.420:56): apparmor="ALLOWED" operation="exec" profile="/root/tmp/test.bash" pid=1692 comm="test.bash" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/root/tmp/test.bash//null-1"
[...]

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1545776

Title:
  14.04 kernel does not log exec properly and aa-logprof fails

Status in linux package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu 14.04's kernel (tested 3.13.0-32-generic) does not log exec
  properly in audit.log when in complain mode, so aa-logprof will not
  work.

  Here is test.bash
  -------------
  #!/bin/bash

  echo "hi"
  ls /tmp
  find /tmp
  -------------

  Here is /etc/apparmor.d/root.tmp.test.bash (which was created with aa-genprof and edited with aa-logprof):
  -------------
  # Last Modified: Mon Feb 15 16:05:05 2016
  #include <tunables/global>

  /root/tmp/test.bash flags=(complain) {
    #include <abstractions/base>
    #include <abstractions/consoles>
    #include <abstractions/user-tmp>

    /bin/ls r,
    /proc/filesystems r,
    /proc/meminfo r,
    /root/tmp/ r,
    /root/tmp/test.bash r,
    /tmp/** rwlk,
    /usr/bin/find r,

  }
  -------------

  
  Here are the results in audit.log with a stock kernel, and a vanilla+grsecurity 4.3.5 kernel:

  # uname -a
  Linux apparmortest 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

  enforce mode:
  -------------
  type=AVC msg=audit(1455548893.569:18246): apparmor="DENIED" operation="exec" profile="/root/tmp/test.bash" name="/bin/ls" pid=9767 comm="test.bash" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
  type=SYSCALL msg=audit(1455548893.569:18246): arch=c000003e syscall=59 success=no exit=-13 a0=8c1d88 a1=8c1988 a2=8c2c08 a3=7fffd820cac0 items=0 ppid=9766 pid=9767 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="test.bash" exe="/bin/bash" key=(null)
  type=AVC msg=audit(1455548893.573:18247): apparmor="DENIED" operation="exec" profile="/root/tmp/test.bash" name="/usr/bin/find" pid=9768 comm="test.bash" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
  type=SYSCALL msg=audit(1455548893.573:18247): arch=c000003e syscall=59 success=no exit=-13 a0=8c2908 a1=8c1988 a2=8c2c08 a3=7fffd820cac0 items=0 ppid=9766 pid=9768 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="test.bash" exe="/bin/bash" key=(null)
  [this is full output]
  -------------

  complain mode:
  -------------
  type=AVC msg=audit(1455548922.473:18249): apparmor="ALLOWED" operation="exec" profile="/root/tmp/test.bash" pid=9772 comm="test.bash" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/root/tmp/test.bash//null-53"
  type=SYSCALL msg=audit(1455548922.473:18249): arch=c000003e syscall=59 success=yes exit=0 a0=10c6d88 a1=10c6988 a2=10c7c08 a3=7fff57ced540 items=0 ppid=9771 pid=9772 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="ls" exe="/bin/ls" key=(null)
  [... much longer...]]
  -------------


  # uname -a
  Linux apparmortest 4.3.5-grsec+ #1 SMP Fri Feb 12 18:53:52 CET 2016 x86_64 x86_64 x86_64 GNU/Linux

  enforce
  -------------
  type=AVC msg=audit(1455549782.598:50): apparmor="DENIED" operation="exec" profile="/root/tmp/test.bash" name="/bin/ls" pid=1710 comm="test.bash" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
  type=SYSCALL msg=audit(1455549782.598:50): arch=c000003e syscall=59 success=no exit=-13 a0=d9eb88 a1=d9cf08 a2=d9dc08 a3=79f56cef8bd0 items=0 ppid=1709 pid=1710 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=2 comm="test.bash" exe="/bin/bash" key=(null)
  type=UNKNOWN[1327] msg=audit(1455549782.598:50): proctitle=2F62696E2F62617368002E2F746573742E62617368
  type=AVC msg=audit(1455549782.598:51): apparmor="DENIED" operation="exec" profile="/root/tmp/test.bash" name="/usr/bin/find" pid=1711 comm="test.bash" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
  type=SYSCALL msg=audit(1455549782.598:51): arch=c000003e syscall=59 success=no exit=-13 a0=d9ee88 a1=d9cf08 a2=d9dc08 a3=79f56cef8bd0 items=0 ppid=1709 pid=1711 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=2 comm="test.bash" exe="/bin/bash" key=(null)
  type=UNKNOWN[1327] msg=audit(1455549782.598:51): proctitle=2F62696E2F62617368002E2F746573742E62617368
  -------------

  complain
  -------------
  type=AVC msg=audit(1455549804.810:57): apparmor="ALLOWED" operation="exec" profile="/root/tmp/test.bash" name="/bin/ls" pid=1750 comm="test.bash" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/root/tmp/test.bash//null-1"
  type=SYSCALL msg=audit(1455549804.810:57): arch=c000003e syscall=59 success=yes exit=0 a0=20ddd08 a1=20dcb88 a2=20dcc08 a3=76f9147845e0 items=0 ppid=1749 pid=1750 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=2 comm="ls" exe="/bin/ls" key=(null)
  -------------

  
  Notice that the name="/bin/ls" is in the enforce mode log for both kernels, and in the complain mode log for kernel 4.3.5. It is missing from the complain mode kernel 3.13.


  And another problem I found while failing to reproduce the above
  problem. This was with a profile made with aa-genprof on the bash
  executable (copied to ~/tmp/), without any more rules added. I could
  not reproduce this problem with the grsec kernel, so I'll just report
  them together.

  -------------
  # aa-logprof
  Reading log entries from /var/log/audit/audit.log.
  Updating AppArmor profiles in /etc/apparmor.d.
  Traceback (most recent call last):
  File "/usr/sbin/aa-logprof", line 54, in <module>
      apparmor.do_logprof_pass(logmark)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2280, in do_logprof_pass
      log = log_reader.read_log(logmark)
  File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 353, in read_log
      self.add_event_to_tree(event)
  File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 261, in add_event_to_tree
      raise AppArmorException(_('Log contains unknown mode %s') % rmask)
  apparmor.common.AppArmorException: 'Log contains unknown mode '
  -------------

  the problem line (requested_mask and denied_mask are blank):
  -------------
  type=AVC msg=audit(1455544394.446:262): apparmor="ALLOWED" operation="open" profile="/root/tmp/bash" name="/root/.bash_history" pid=8675 comm="bash" requested_mask="" denied_mask="" fsuid=0 ouid=0
  -------------

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1545776/+subscriptions
References

[Bug 1545776] [NEW] 14.04 kernel does not log exec properly and aa-logprof fails
From: Peter Maloney, 2016-02-15