>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>
>>>>>>>>>>>>> i'm having problems with audit rule modifier - it's just not
>>>>>>>>>>>>> working when used alone. I'm trying to enable only logging with
>>>>>>>>>>>>> this:
>>>>>>>>>>>>> audit /home/** a,
>>>>>>>>>>>>> audit /home/** w,
>>>>>>>>>>>> By only logging you mean logging of an access but not granting
>>>>>>>>>>>> permission?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I mean logging of an access AND granting permission.
>>>>>>>>>>>
>>>>>>>>>> ok, I just wanted to be sure as we have had misunderstandings before
>>>>>>>>>> around audit, with people expecting it to only change the auditing
>>>>>>>>>> behavior and not grant permissions.
>>>>>>>>>>
>>>>>>>>>> ie. audit /** w,
>>>>>>>>>>
>>>>>>>>>> as a rule to catch any writes regardless of what other rules are. It
>>>>>>>>>> would be a nice ability to have but the language doesn't allow
>>>>>>>>>> specifying only the audit behavior like this atm.
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> It should work according to documentation (
>>>>>>>>>>>>> http://wiki.apparmor.net/index.php/QuickProfileLanguage#Rule_Modifiers
>>>>>>>>>>>>> ) but it's doing nothing. I was able to enable logging only with
>>>>>>>>>>>>> this running in complain mode:
>>>>>>>>>>>>> audit deny /home/**/*.php a,
>>>>>>>>>>>>> audit deny /home/**/*.php w,
>>>>>>>>>>>>>
>>>>>>>>>>>> these two rules where necessary to get logging in complain mode?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Well, i just read in docs that 'w' implies also 'a', so only the
>>>>>>>>>>> second line is necessary. But yes, i had to use 'audit deny' for
>>>>>>>>>>> logging to work (and, as i want to NOT deny the action, i had to
>>>>>>>>>>> use complain mode).
>>>>>>>>>>>
>>>>>>>>>> Okay
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>> Audit alone it not working. Is this a known bug? Thanks.
>>>>>>>>>>>>>
>>>>>>>>>>>> It is not known.
>>>>>>>>>>>>
>>>>>>>>>>>> Can you send us the full profile you are using?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Here is the complete profile (i already removed that 'a' line and
>>>>>>>>>>> tested it):
>>>>>>>>>>>
>>>>>>>>>>> /usr/lib/apache2/mpm-itk/apache2 {
>>>>>>>>>>> network,
>>>>>>>>>>> capability,
>>>>>>>>>>> file,
>>>>>>>>>>> audit deny /home/**/*.php w,
>>>>>>>>>>> }
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> As i said, i'm running this in complain mode because i don't want
>>>>>>>>>>> to deny the action on last line. I want to use apparmor only for
>>>>>>>>>>> logging access to files via PHP (i will be processing that log
>>>>>>>>>>> later).
>>>>>>>>>>>
>>>>>>>>>> Can you please provide the following information to help as diagnose
>>>>>>>>>> the problem.
>>>>>>>>>>
>>>>>>>>>> Kernel version: use the command uname -a
>>>>>>>>>> Parser version: use the command apparmor_parser -v
>>>>>>>>>> State dump from the compiler: use the command
>>>>>>>>>> apparmor_parser -D dfa-states -QT profile_file 2>states_file
>>>>>>>>>>
>>>>>>>>>> Compiled output of your profile: use either of the following commands
>>>>>>>>>> apparmor_parser -S profile_file > output_file
>>>>>>>>>> apparmor_parser -o output_file profile_file
>>>>>>>>>>
>>>>>>>>>> * the -o version may not work on older parsers.
>>>>>>>>>> * profile_name is the file name where your profile is stored
>>>>>>>>>> * states_file and out_file are just file that the output will be
>>>>>>>>>> dumped in. So that you can attach them
>>>>>>>>>
>>>>>>>>> Kernel version: 3.2.47
>>>>>>>>> Parser version: 2.7.103 (it was the -V switch)
>>>>>>>> oops sorry
>>>>>>>>
>>>>>>>>> Client software are packages from Debian Wheezy running on Debian
>>>>>>>>> Squeeze. I'm using my own kernel patched with grsecurity.
>>>>>>>>>
>>>>>>>> Okay, is this kernel derived from Debian Wheezy, upstream, ubuntu?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> It's vanilla kernel downloaded directly from kernel.org + grsecurity
>>>>>>> from grsecurity.org.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>> Attaching 3 files from that 3 commands. Last two commands printed
>>>>>>>>> this warning (probably ok):
>>>>>>>>> Warning: found apache2 in /etc/apparmor.d/force-complain, forcing
>>>>>>>>> complain mode
>>>>>>>>>
>>>>>>>> yes that is fine, but thanks for the heads up
>>>>>>>>
>>>>>>>>> To avoid misunderstanding: I'm currently using this profile (in
>>>>>>>>> complain mode):
>>>>>>>>>
>>>>>>>>> /usr/lib/apache2/mpm-itk/apache2 {
>>>>>>>>> network,
>>>>>>>>> capability,
>>>>>>>>> file,
>>>>>>>>> audit deny /home/**/*.php w,
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> But i WANT to use this profile (not in complain mode):
>>>>>>>>> /usr/lib/apache2/mpm-itk/apache2 {
>>>>>>>>> network,
>>>>>>>>> capability,
>>>>>>>>> file,
>>>>>>>>> audit /home/**/*.php w,
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> Logging is working only in the first one so i'm forced to use it
>>>>>>>>> instead of second one. Hope i'm clear enough. Thank you.
>>>>>>>>>
>>>>>>>> Okay, the output of the compiler for the first one looks good, I still
>>>>>>>> need to look at the kernel side (waiting for confirmation on the
>>>>>>>> patchset there).
>>>>>>>>
>>>>>>>> Can you attach the same set of compiler out for the second profile
>>>>>>>> (without the deny) so I can check it as well.
>>>>>>>
>>>>>> thanks
>>>>>>
>>>>>> so commit ade3ddc01e2e426cc24c744be85dcaad4e8f8aba which first showed up
>>>>>> in v3.4 looks like it might fix this for you.
>>>>>>
>>>>>> Also would you be interested in a backport version of apparmor to the
>>>>>> 3.2 kernel? Basically we now have the current upstream v3.10 version
>>>>>> backported to 3.2 as a drop in replacement (no abi changes, or touching
>>>>>> the rest of the kernel tree). The 3.10 version has several bug fixes
>>>>>> that are not present in the 3.2 kernel version.
>>>>>
>>>>>
>>>>> This would be really cool if you'll be so kind :) I cannot move out from
>>>>> 3.2 yet because of grsecurity (stable version is currently for 3.2).
>>>>> Thank you!
>>>>>
>>>> there is a v3.2-backport-of-v3.10-apparmor branch at
>>>> git://kernel.ubuntu.com/jj/ubuntu-saucy.git v3.2-backport-of-v3.10-apparmor
>>>>
>>>> its done as a copy of of v3.10 kernel apparmor into v3.2 (first patch) and
>>>> then the series of patches needed to make it work on 3.2.
>>>>
>>>>
>>>> specifically you want
>>>> The following changes since commit
>>>> 877fcbee0f25072e41e3e7ce3210951ca6d40a10:
>>>>
>>>> Linux 3.2 (2013-06-30 05:22:04 -0700)
>>>>
>>>> are available in the git repository at:
>>>>
>>>> git://kernel.ubuntu.com/jj/ubuntu-saucy.git
>>>> v3.2-backport-of-v3.10-apparmor
>>>>
>>>> for you to fetch changes up to 958b96ce2184a526dd83b7725d498acc5f99425c:
>>>>
>>>> UBUNTU: SAUCE: apparmor: 3.2 backport revert umode_t in chmode 910f4ece
>>>> (2013-06-30 05:22:20 -0700)
>>>
>>>
>>> Sorry, i'm not very experienced with git. I downloaded that branch by:
>>> git clone -b v3.2-backport-of-v3.10-apparmor
>>> git://kernel.ubuntu.com/jj/ubuntu-saucy.git
>>>
>>> but don't know what to do next - how can i 'filter' commits from
>>> '877fcbee0f25072e41e3e7ce3210951ca6d40a10' to
>>> '958b96ce2184a526dd83b7725d498acc5f99425c'?
>>>
>> you can dump out the patches by changing into the git trees directory and
>> then doing
>>
>> git format-patch
>> 877fcbee0f25072e41e3e7ce3210951ca6d40a10..958b96ce2184a526dd83b7725d498acc5f99425c
>> -o patches/
>>
>> the patches directory can be named anything you want and has to be created
>> before the git command, if you leave off the -o patches bit will dump the
>> series into your cwd directory which can be a bit of a mess since its 19
>> patches here.
>>
>> Each of the patches will start with a number 0001-, 0002-, ... in the order
>> they are supposed to be supplied
>>
>>
>One more thing I forgot to add. This is a pure upstream backport and doesn't
>have
>the compatibility or networking patches in it. These patches should apply if
>not,
>let me know and it shouldn't take long to get them to apply.
John,
i applied commit ade3ddc01e2e426cc24c744be85dcaad4e8f8aba, which was suppose to
fix my problems with audit, to 3.2.48 but it still doesn't work as i expected.
This profile still not triggers the audit (enforce mode):
/usr/lib/apache2/mpm-itk/apache2 {
network,
capability,
file,
audit /home/**/*.php w,
}
But this one is working:
/usr/lib/apache2/mpm-itk/apache2 {
network,
capability,
audit file,
}
Maybe the 'file' line is overwriting my audit modifier as last line is only a
subset of 'file'?
Also, one strange thing (probably bug) appears - no matter how and if i set
audit, kernel is *always* logging all 'getattr' operations related to my
profile:
Jul 3 09:39:52 server07 kernel: [36159.486984] type=1400
audit(1372837192.188:947801176): apparmor="AUDIT" operation="getattr"
parent=10071 profile="/usr/lib/apache2/mpm-itk/apache2" name="/etc/group"
pid=14199 comm="apache2" requested_mask="r" fsuid=0 ouid=0
Any ideas? Thank you.
azur
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
