Nice! Thanks ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1736841 Title: aa-decode can't decode the audit log which contains the proctitle string Status in AppArmor: New Status in apparmor package in Ubuntu: New Bug description: [Description of Problem] aa-decode can't decode the audit log which contains the proctitle string. ubuntu kernel version: 4.4.0-87-generic AppArmor tool version: 2.10.95 [How To Reproduce] eg. # apparmor_parser -r /etc/apparmor.d/usr.sbin.tcpdump # cat /var/log/audit/audit.log type=AVC msg=audit(1512030686.240:8756): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/tcpdump" pid=7464 comm="apparmor_parser" type=SYSCALL msg=audit(1512030686.240:8756): arch=c000003e syscall=1 success=yes exit=26273 a0=5 a1=2717b20 a2=66a1 a3=0 items=0 ppid=7463 pid=7464 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=9 comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null) type=PROCTITLE msg=audit(1512030686.240:8756): proctitle=61707061726D6F725F706172736572002D72002F6574632F61707061726D6F722E642F7573722E7362696E2E74637064756D70 # aa-decode 61707061726D6F725F706172736572002D72002F6574632F61707061726D6F722E642F7573722E7362696E2E74637064756D70 Decoded: apparmor_parser-r/etc/apparmor.d/usr.sbin.tcpdump # cat /var/log/audit/audit.log | aa-decode type=DAEMON_START msg=audit(1512030654.972:7242): auditd start, ver=2.4.5 format=raw kernel=4.4.0-87-generic auid=4294967295 pid=7428 subj=unconfined res=success type=AVC msg=audit(1512030686.240:8756): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/tcpdump" pid=7464 comm="apparmor_parser" type=SYSCALL msg=audit(1512030686.240:8756): arch=c000003e syscall=1 success=yes exit=26273 a0=5 a1=2717b20 a2=66a1 a3=0 items=0 ppid=7463 pid=7464 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=9 comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null) type=PROCTITLE msg=audit(1512030686.240:8756): proctitle=61707061726D6F725F706172736572002D72002F6574632F61707061726D6F722E642F7573722E7362696E2E74637064756D70 [Actual Result] aa-decode can decode a single string, but can not take an audit log on standard input and convert the hex-encoded string. [Expected Result] # cat /var/log/audit/audit.log | aa-decode type=DAEMON_START msg=audit(1512030654.972:7242): auditd start, ver=2.4.5 format=raw kernel=4.4.0-87-generic auid=4294967295 pid=7428 subj=unconfined res=success type=AVC msg=audit(1512030686.240:8756): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/tcpdump" pid=7464 comm="apparmor_parser" type=SYSCALL msg=audit(1512030686.240:8756): arch=c000003e syscall=1 success=yes exit=26273 a0=5 a1=2717b20 a2=66a1 a3=0 items=0 ppid=7463 pid=7464 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=9 comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null) type=PROCTITLE msg=audit(1512030686.240:8756): proctitle=apparmor_parser-r/etc/apparmor.d/usr.sbin.tcpdump [How To Fix] fix the aa-decode shell script. --- utils/aa-decode 2013-01-01 14:15:04.000000000 -0500 +++ utils/aa-decode.new 2017-11-30 02:39:13.780000000 -0500 @@ -70,7 +70,7 @@ fi while read line ; do # check if line contains encoded name= or profile= - if [[ "$line" =~ \ (name|profile)=[0-9a-fA-F] ]]; then + if [[ "$line" =~ \ (name|profile|proctitle)=[0-9a-fA-F] ]]; then # cut the encoded filename/profile name out of the line and decode it ne=`echo "$line" | sed 's/.* name=\([^ ]*\).*$/\\1/g'` @@ -79,9 +79,13 @@ while read line ; do pe=`echo "$line" | sed 's/.* profile=\([^ ]*\).*$/\\1/g'` pd="$(decode ${pe/\'/\\\'})" + pce=`echo "$line" | sed 's/.* proctitle=\([^ ]*\).*$/\\1/g'` + pcd="$(decode ${pce/\'/\\\'})" + # replace encoded name and profile with its decoded counterparts (only if it was encoded) test -n "$nd" && line="${line/name=$ne/name=\"$nd\"}" test -n "$pd" && line="${line/profile=$pe/profile=\"$pd\"}" + test -n "$pcd" && line="${line/proctitle=$pce/proctitle=\"$pcd\"}" fi [Workaround] if you can not decode the audit log, try to decode the single string. # aa-decode 61707061726D6F725F706172736572002D72002F6574632F61707061726D6F722E642F7573722E7362696E2E74637064756D70 Decoded: apparmor_parser-r/etc/apparmor.d/usr.sbin.tcpdump To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1736841/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp