[Bug 160238] Re: Corrupted AppArmor audit log messages

John Johansen Sat, 17 Nov 2007 02:15:48 -0800

okay the first thing I want you to try is removing the use of dd from
the auditing chain


open /etc/init.d/klogd in an editor (you need to be root), find the line
that looks like this

    # shovel /proc/kmsg to pipe readable by klogd user
    start-stop-daemon --start --pidfile $kmsgpidfile --exec /bin/dd -b -m -- 
bs=1 if=/proc/kmsg of=$kmsgpipe

and comment it out so it is now

    # shovel /proc/kmsg to pipe readable by klogd user
#    start-stop-daemon --start --pidfile $kmsgpidfile --exec /bin/dd -b -m -- 
bs=1 if=/proc/kmsg of=$kmsgpipe

now find the line

    # start klogd as non-root with reading from kmsgpipe
    start-stop-daemon --start --quiet --chuid klog --exec $binpath -- $KLOGD

and comment it out and replace it with the command shown below

    # start klogd as non-root with reading from kmsgpipe
#    start-stop-daemon --start --quiet --chuid klog --exec $binpath -- $KLOGD
    start-stop-daemon --start --quiet --exec $binpath -- /proc/kmsg

save /etc/init.d/klogd then do

> sudo /etc/init.d/klogd stop
> sudo /etc/init.d/klogd start
> ps aux | grep logd
syslog    6645  0.0  0.1   1912   728 ?        Ss   01:34   0:00 /sbin/syslogd 
-u syslog
root      6698  0.0  0.2   2496  1400 ?        Ss   01:35   0:00 /sbin/klogd 
/proc/kmsg
jj        6959  0.0  0.1   2972   748 pts/0    R+   01:48   0:00 grep logd

what you are looking for here is that dd isn't list, like above.  Now
you should be able to try and recreate the corrupted messages again.  If
the corrupt messages still happen, we can try dumping /proc/kmsg
directly to a file bypassing klogd and syslog entirely.

edit /etc/init.d/klogd again, restore the klogd command by deleting the
command and removing the commenting so it looks like

    # start klogd as non-root with reading from kmsgpipe
    start-stop-daemon --start --quiet --chuid klog --exec $binpath -- $KLOGD

now copy the dd command line and edit it so it looks like (the only part that 
is changed is of= at the end)
    # shovel /proc/kmsg to pipe readable by klogd user
#    start-stop-daemon --start --pidfile $kmsgpidfile --exec /bin/dd -b -m -- 
bs=1 if=/proc/kmsg of=$kmsgpipe
    start-stop-daemon --start --pidfile $kmsgpidfile --exec /bin/dd -b -m -- 
bs=1 if=/proc/kmsg of=/tmp/kmsg-dump

save and then do

> sudo /etc/init.d/klogd stop
> sudo /etc/init.d/klogd start

you can then try recreating the corrupted messages again.  genprof will
work but it won't find any messages, to see if the messages are corrupt
you can look at the /tmp/kmsg-dump file.  If they are still corrupt the
bug is in the kernel, and I will have to take a closer look at the audit
/ printk interface.

-- 
Corrupted AppArmor audit log messages
https://bugs.launchpad.net/bugs/160238
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 160238] Re: Corrupted AppArmor audit log messages

Reply via email to