>>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> i'm having problems with audit rule modifier - it's just not working >>>>>>>>>> when used alone. I'm trying to enable only logging with this: >>>>>>>>>> audit /home/** a, >>>>>>>>>> audit /home/** w, >>>>>>>>> By only logging you mean logging of an access but not granting >>>>>>>>> permission? >>>>>>>> >>>>>>>> >>>>>>>> I mean logging of an access AND granting permission. >>>>>>>> >>>>>>> ok, I just wanted to be sure as we have had misunderstandings before >>>>>>> around audit, with people expecting it to only change the auditing >>>>>>> behavior and not grant permissions. >>>>>>> >>>>>>> ie. audit /** w, >>>>>>> >>>>>>> as a rule to catch any writes regardless of what other rules are. It >>>>>>> would be a nice ability to have but the language doesn't allow >>>>>>> specifying only the audit behavior like this atm. >>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> It should work according to documentation ( >>>>>>>>>> http://wiki.apparmor.net/index.php/QuickProfileLanguage#Rule_Modifiers >>>>>>>>>> ) but it's doing nothing. I was able to enable logging only with >>>>>>>>>> this running in complain mode: >>>>>>>>>> audit deny /home/**/*.php a, >>>>>>>>>> audit deny /home/**/*.php w, >>>>>>>>>> >>>>>>>>> these two rules where necessary to get logging in complain mode? >>>>>>>> >>>>>>>> >>>>>>>> Well, i just read in docs that 'w' implies also 'a', so only the >>>>>>>> second line is necessary. But yes, i had to use 'audit deny' for >>>>>>>> logging to work (and, as i want to NOT deny the action, i had to use >>>>>>>> complain mode). >>>>>>>> >>>>>>> Okay >>>>>>> >>>>>>>> >>>>>>>>>> Audit alone it not working. Is this a known bug? Thanks. >>>>>>>>>> >>>>>>>>> It is not known. >>>>>>>>> >>>>>>>>> Can you send us the full profile you are using? >>>>>>>> >>>>>>>> >>>>>>>> Here is the complete profile (i already removed that 'a' line and >>>>>>>> tested it): >>>>>>>> >>>>>>>> /usr/lib/apache2/mpm-itk/apache2 { >>>>>>>> network, >>>>>>>> capability, >>>>>>>> file, >>>>>>>> audit deny /home/**/*.php w, >>>>>>>> } >>>>>>>> >>>>>>>> >>>>>>>> As i said, i'm running this in complain mode because i don't want to >>>>>>>> deny the action on last line. I want to use apparmor only for logging >>>>>>>> access to files via PHP (i will be processing that log later). >>>>>>>> >>>>>>> Can you please provide the following information to help as diagnose >>>>>>> the problem. >>>>>>> >>>>>>> Kernel version: use the command uname -a >>>>>>> Parser version: use the command apparmor_parser -v >>>>>>> State dump from the compiler: use the command >>>>>>> apparmor_parser -D dfa-states -QT profile_file 2>states_file >>>>>>> >>>>>>> Compiled output of your profile: use either of the following commands >>>>>>> apparmor_parser -S profile_file > output_file >>>>>>> apparmor_parser -o output_file profile_file >>>>>>> >>>>>>> * the -o version may not work on older parsers. >>>>>>> * profile_name is the file name where your profile is stored >>>>>>> * states_file and out_file are just file that the output will be dumped >>>>>>> in. So that you can attach them >>>>>> >>>>>> Kernel version: 3.2.47 >>>>>> Parser version: 2.7.103 (it was the -V switch) >>>>> oops sorry >>>>> >>>>>> Client software are packages from Debian Wheezy running on Debian >>>>>> Squeeze. I'm using my own kernel patched with grsecurity. >>>>>> >>>>> Okay, is this kernel derived from Debian Wheezy, upstream, ubuntu? >>>> >>>> >>>> >>>> It's vanilla kernel downloaded directly from kernel.org + grsecurity from >>>> grsecurity.org. >>>> >>>> >>>> >>>> >>>>>> Attaching 3 files from that 3 commands. Last two commands printed this >>>>>> warning (probably ok): >>>>>> Warning: found apache2 in /etc/apparmor.d/force-complain, forcing >>>>>> complain mode >>>>>> >>>>> yes that is fine, but thanks for the heads up >>>>> >>>>>> To avoid misunderstanding: I'm currently using this profile (in complain >>>>>> mode): >>>>>> >>>>>> /usr/lib/apache2/mpm-itk/apache2 { >>>>>> network, >>>>>> capability, >>>>>> file, >>>>>> audit deny /home/**/*.php w, >>>>>> } >>>>>> >>>>>> >>>>>> >>>>>> But i WANT to use this profile (not in complain mode): >>>>>> /usr/lib/apache2/mpm-itk/apache2 { >>>>>> network, >>>>>> capability, >>>>>> file, >>>>>> audit /home/**/*.php w, >>>>>> } >>>>>> >>>>>> Logging is working only in the first one so i'm forced to use it instead >>>>>> of second one. Hope i'm clear enough. Thank you. >>>>>> >>>>> Okay, the output of the compiler for the first one looks good, I still >>>>> need to look at the kernel side (waiting for confirmation on the patchset >>>>> there). >>>>> >>>>> Can you attach the same set of compiler out for the second profile >>>>> (without the deny) so I can check it as well. >>>> >>> thanks >>> >>> so commit ade3ddc01e2e426cc24c744be85dcaad4e8f8aba which first showed up in >>> v3.4 looks like it might fix this for you. >>> >>> Also would you be interested in a backport version of apparmor to the 3.2 >>> kernel? Basically we now have the current upstream v3.10 version backported >>> to 3.2 as a drop in replacement (no abi changes, or touching the rest of >>> the kernel tree). The 3.10 version has several bug fixes that are not >>> present in the 3.2 kernel version. >> >> >> This would be really cool if you'll be so kind :) I cannot move out from 3.2 >> yet because of grsecurity (stable version is currently for 3.2). Thank you! >> >there is a v3.2-backport-of-v3.10-apparmor branch at >git://kernel.ubuntu.com/jj/ubuntu-saucy.git v3.2-backport-of-v3.10-apparmor > >its done as a copy of of v3.10 kernel apparmor into v3.2 (first patch) and >then the series of patches needed to make it work on 3.2. > > >specifically you want >The following changes since commit 877fcbee0f25072e41e3e7ce3210951ca6d40a10: > > Linux 3.2 (2013-06-30 05:22:04 -0700) > >are available in the git repository at: > > git://kernel.ubuntu.com/jj/ubuntu-saucy.git v3.2-backport-of-v3.10-apparmor > >for you to fetch changes up to 958b96ce2184a526dd83b7725d498acc5f99425c: > > UBUNTU: SAUCE: apparmor: 3.2 backport revert umode_t in chmode 910f4ece > (2013-06-30 05:22:20 -0700)
Sorry, i'm not very experienced with git. I downloaded that branch by: git clone -b v3.2-backport-of-v3.10-apparmor git://kernel.ubuntu.com/jj/ubuntu-saucy.git but don't know what to do next - how can i 'filter' commits from '877fcbee0f25072e41e3e7ce3210951ca6d40a10' to '958b96ce2184a526dd83b7725d498acc5f99425c'? -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor