kernel-packages team mailing list archive

Thread
Date
[Bug 1545776] Re: 14.04 kernel does not log exec properly and aa-logprof fails

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Me <wmsopou@xxxxxxxxx>
Date: Thu, 14 Apr 2016 13:44:53 -0000
Reply-to: Bug 1545776 <1545776@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
On Ubuntu 15.10 (4.2.0-16-generic) aa-genprof creates a similarly broken
profile.

On Ubuntu 16.04 beta 2 (4.4.0-15-generic) the "name" field is now
present in syslog when operation="exec" and aa-genprof gives
/usr/bin/find cx permission and creates a child profile. Running the
profile in enforce mode is successful.

Any chance whatever was done to fix it in the kernel can be backported
to 14.04 and 12.04 since most users will probably be stuck with those
versions for a long time to come?

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1545776

Title:
  14.04 kernel does not log exec properly and aa-logprof fails

Status in AppArmor:
  New
Status in apparmor package in Ubuntu:
  Confirmed
Status in linux package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu 14.04's kernel (tested 3.13.0-32-generic) does not log exec
  properly in audit.log when in complain mode, so aa-logprof will not
  work.

  Here is test.bash
  -------------
  #!/bin/bash

  echo "hi"
  ls /tmp
  find /tmp
  -------------

  Here is /etc/apparmor.d/root.tmp.test.bash (which was created with aa-genprof and edited with aa-logprof):
  -------------
  # Last Modified: Mon Feb 15 16:05:05 2016
  #include <tunables/global>

  /root/tmp/test.bash flags=(complain) {
    #include <abstractions/base>
    #include <abstractions/consoles>
    #include <abstractions/user-tmp>

    /bin/ls r,
    /proc/filesystems r,
    /proc/meminfo r,
    /root/tmp/ r,
    /root/tmp/test.bash r,
    /tmp/** rwlk,
    /usr/bin/find r,

  }
  -------------

  
  Here are the results in audit.log with a stock kernel, and a vanilla+grsecurity 4.3.5 kernel:

  # uname -a
  Linux apparmortest 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

  enforce mode:
  -------------
  type=AVC msg=audit(1455548893.569:18246): apparmor="DENIED" operation="exec" profile="/root/tmp/test.bash" name="/bin/ls" pid=9767 comm="test.bash" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
  type=SYSCALL msg=audit(1455548893.569:18246): arch=c000003e syscall=59 success=no exit=-13 a0=8c1d88 a1=8c1988 a2=8c2c08 a3=7fffd820cac0 items=0 ppid=9766 pid=9767 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="test.bash" exe="/bin/bash" key=(null)
  type=AVC msg=audit(1455548893.573:18247): apparmor="DENIED" operation="exec" profile="/root/tmp/test.bash" name="/usr/bin/find" pid=9768 comm="test.bash" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
  type=SYSCALL msg=audit(1455548893.573:18247): arch=c000003e syscall=59 success=no exit=-13 a0=8c2908 a1=8c1988 a2=8c2c08 a3=7fffd820cac0 items=0 ppid=9766 pid=9768 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="test.bash" exe="/bin/bash" key=(null)
  [this is full output]
  -------------

  complain mode:
  -------------
  type=AVC msg=audit(1455548922.473:18249): apparmor="ALLOWED" operation="exec" profile="/root/tmp/test.bash" pid=9772 comm="test.bash" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/root/tmp/test.bash//null-53"
  type=SYSCALL msg=audit(1455548922.473:18249): arch=c000003e syscall=59 success=yes exit=0 a0=10c6d88 a1=10c6988 a2=10c7c08 a3=7fff57ced540 items=0 ppid=9771 pid=9772 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="ls" exe="/bin/ls" key=(null)
  [... much longer...]]
  -------------


  # uname -a
  Linux apparmortest 4.3.5-grsec+ #1 SMP Fri Feb 12 18:53:52 CET 2016 x86_64 x86_64 x86_64 GNU/Linux

  enforce
  -------------
  type=AVC msg=audit(1455549782.598:50): apparmor="DENIED" operation="exec" profile="/root/tmp/test.bash" name="/bin/ls" pid=1710 comm="test.bash" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
  type=SYSCALL msg=audit(1455549782.598:50): arch=c000003e syscall=59 success=no exit=-13 a0=d9eb88 a1=d9cf08 a2=d9dc08 a3=79f56cef8bd0 items=0 ppid=1709 pid=1710 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=2 comm="test.bash" exe="/bin/bash" key=(null)
  type=UNKNOWN[1327] msg=audit(1455549782.598:50): proctitle=2F62696E2F62617368002E2F746573742E62617368
  type=AVC msg=audit(1455549782.598:51): apparmor="DENIED" operation="exec" profile="/root/tmp/test.bash" name="/usr/bin/find" pid=1711 comm="test.bash" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
  type=SYSCALL msg=audit(1455549782.598:51): arch=c000003e syscall=59 success=no exit=-13 a0=d9ee88 a1=d9cf08 a2=d9dc08 a3=79f56cef8bd0 items=0 ppid=1709 pid=1711 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=2 comm="test.bash" exe="/bin/bash" key=(null)
  type=UNKNOWN[1327] msg=audit(1455549782.598:51): proctitle=2F62696E2F62617368002E2F746573742E62617368
  -------------

  complain
  -------------
  type=AVC msg=audit(1455549804.810:57): apparmor="ALLOWED" operation="exec" profile="/root/tmp/test.bash" name="/bin/ls" pid=1750 comm="test.bash" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/root/tmp/test.bash//null-1"
  type=SYSCALL msg=audit(1455549804.810:57): arch=c000003e syscall=59 success=yes exit=0 a0=20ddd08 a1=20dcb88 a2=20dcc08 a3=76f9147845e0 items=0 ppid=1749 pid=1750 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=2 comm="ls" exe="/bin/ls" key=(null)
  -------------

  
  Notice that the name="/bin/ls" is in the enforce mode log for both kernels, and in the complain mode log for kernel 4.3.5. It is missing from the complain mode kernel 3.13.


  And another problem I found while failing to reproduce the above
  problem. This was with a profile made with aa-genprof on the bash
  executable (copied to ~/tmp/), without any more rules added. I could
  not reproduce this problem with the grsec kernel, so I'll just report
  them together.

  -------------
  # aa-logprof
  Reading log entries from /var/log/audit/audit.log.
  Updating AppArmor profiles in /etc/apparmor.d.
  Traceback (most recent call last):
  File "/usr/sbin/aa-logprof", line 54, in <module>
      apparmor.do_logprof_pass(logmark)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2280, in do_logprof_pass
      log = log_reader.read_log(logmark)
  File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 353, in read_log
      self.add_event_to_tree(event)
  File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 261, in add_event_to_tree
      raise AppArmorException(_('Log contains unknown mode %s') % rmask)
  apparmor.common.AppArmorException: 'Log contains unknown mode '
  -------------

  the problem line (requested_mask and denied_mask are blank):
  -------------
  type=AVC msg=audit(1455544394.446:262): apparmor="ALLOWED" operation="open" profile="/root/tmp/bash" name="/root/.bash_history" pid=8675 comm="bash" requested_mask="" denied_mask="" fsuid=0 ouid=0
  -------------

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1545776/+subscriptions
References

[Bug 1545776] [NEW] 14.04 kernel does not log exec properly and aa-logprof fails
From: Peter Maloney, 2016-02-15