On 06/30/2013 06:44 AM, azurIt wrote: >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> i'm having problems with audit rule modifier - it's just not >>>>>>>>>>> working when used alone. I'm trying to enable only logging with >>>>>>>>>>> this: >>>>>>>>>>> audit /home/** a, >>>>>>>>>>> audit /home/** w, >>>>>>>>>> By only logging you mean logging of an access but not granting >>>>>>>>>> permission? >>>>>>>>> >>>>>>>>> >>>>>>>>> I mean logging of an access AND granting permission. >>>>>>>>> >>>>>>>> ok, I just wanted to be sure as we have had misunderstandings before >>>>>>>> around audit, with people expecting it to only change the auditing >>>>>>>> behavior and not grant permissions. >>>>>>>> >>>>>>>> ie. audit /** w, >>>>>>>> >>>>>>>> as a rule to catch any writes regardless of what other rules are. It >>>>>>>> would be a nice ability to have but the language doesn't allow >>>>>>>> specifying only the audit behavior like this atm. >>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> It should work according to documentation ( >>>>>>>>>>> http://wiki.apparmor.net/index.php/QuickProfileLanguage#Rule_Modifiers >>>>>>>>>>> ) but it's doing nothing. I was able to enable logging only with >>>>>>>>>>> this running in complain mode: >>>>>>>>>>> audit deny /home/**/*.php a, >>>>>>>>>>> audit deny /home/**/*.php w, >>>>>>>>>>> >>>>>>>>>> these two rules where necessary to get logging in complain mode? >>>>>>>>> >>>>>>>>> >>>>>>>>> Well, i just read in docs that 'w' implies also 'a', so only the >>>>>>>>> second line is necessary. But yes, i had to use 'audit deny' for >>>>>>>>> logging to work (and, as i want to NOT deny the action, i had to use >>>>>>>>> complain mode). >>>>>>>>> >>>>>>>> Okay >>>>>>>> >>>>>>>>> >>>>>>>>>>> Audit alone it not working. Is this a known bug? Thanks. >>>>>>>>>>> >>>>>>>>>> It is not known. >>>>>>>>>> >>>>>>>>>> Can you send us the full profile you are using? >>>>>>>>> >>>>>>>>> >>>>>>>>> Here is the complete profile (i already removed that 'a' line and >>>>>>>>> tested it): >>>>>>>>> >>>>>>>>> /usr/lib/apache2/mpm-itk/apache2 { >>>>>>>>> network, >>>>>>>>> capability, >>>>>>>>> file, >>>>>>>>> audit deny /home/**/*.php w, >>>>>>>>> } >>>>>>>>> >>>>>>>>> >>>>>>>>> As i said, i'm running this in complain mode because i don't want to >>>>>>>>> deny the action on last line. I want to use apparmor only for logging >>>>>>>>> access to files via PHP (i will be processing that log later). >>>>>>>>> >>>>>>>> Can you please provide the following information to help as diagnose >>>>>>>> the problem. >>>>>>>> >>>>>>>> Kernel version: use the command uname -a >>>>>>>> Parser version: use the command apparmor_parser -v >>>>>>>> State dump from the compiler: use the command >>>>>>>> apparmor_parser -D dfa-states -QT profile_file 2>states_file >>>>>>>> >>>>>>>> Compiled output of your profile: use either of the following commands >>>>>>>> apparmor_parser -S profile_file > output_file >>>>>>>> apparmor_parser -o output_file profile_file >>>>>>>> >>>>>>>> * the -o version may not work on older parsers. >>>>>>>> * profile_name is the file name where your profile is stored >>>>>>>> * states_file and out_file are just file that the output will be >>>>>>>> dumped in. So that you can attach them >>>>>>> >>>>>>> Kernel version: 3.2.47 >>>>>>> Parser version: 2.7.103 (it was the -V switch) >>>>>> oops sorry >>>>>> >>>>>>> Client software are packages from Debian Wheezy running on Debian >>>>>>> Squeeze. I'm using my own kernel patched with grsecurity. >>>>>>> >>>>>> Okay, is this kernel derived from Debian Wheezy, upstream, ubuntu? >>>>> >>>>> >>>>> >>>>> It's vanilla kernel downloaded directly from kernel.org + grsecurity from >>>>> grsecurity.org. >>>>> >>>>> >>>>> >>>>> >>>>>>> Attaching 3 files from that 3 commands. Last two commands printed this >>>>>>> warning (probably ok): >>>>>>> Warning: found apache2 in /etc/apparmor.d/force-complain, forcing >>>>>>> complain mode >>>>>>> >>>>>> yes that is fine, but thanks for the heads up >>>>>> >>>>>>> To avoid misunderstanding: I'm currently using this profile (in >>>>>>> complain mode): >>>>>>> >>>>>>> /usr/lib/apache2/mpm-itk/apache2 { >>>>>>> network, >>>>>>> capability, >>>>>>> file, >>>>>>> audit deny /home/**/*.php w, >>>>>>> } >>>>>>> >>>>>>> >>>>>>> >>>>>>> But i WANT to use this profile (not in complain mode): >>>>>>> /usr/lib/apache2/mpm-itk/apache2 { >>>>>>> network, >>>>>>> capability, >>>>>>> file, >>>>>>> audit /home/**/*.php w, >>>>>>> } >>>>>>> >>>>>>> Logging is working only in the first one so i'm forced to use it >>>>>>> instead of second one. Hope i'm clear enough. Thank you. >>>>>>> >>>>>> Okay, the output of the compiler for the first one looks good, I still >>>>>> need to look at the kernel side (waiting for confirmation on the >>>>>> patchset there). >>>>>> >>>>>> Can you attach the same set of compiler out for the second profile >>>>>> (without the deny) so I can check it as well. >>>>> >>>> thanks >>>> >>>> so commit ade3ddc01e2e426cc24c744be85dcaad4e8f8aba which first showed up >>>> in v3.4 looks like it might fix this for you. >>>> >>>> Also would you be interested in a backport version of apparmor to the 3.2 >>>> kernel? Basically we now have the current upstream v3.10 version >>>> backported to 3.2 as a drop in replacement (no abi changes, or touching >>>> the rest of the kernel tree). The 3.10 version has several bug fixes that >>>> are not present in the 3.2 kernel version. >>> >>> >>> This would be really cool if you'll be so kind :) I cannot move out from >>> 3.2 yet because of grsecurity (stable version is currently for 3.2). Thank >>> you! >>> >> there is a v3.2-backport-of-v3.10-apparmor branch at >> git://kernel.ubuntu.com/jj/ubuntu-saucy.git v3.2-backport-of-v3.10-apparmor >> >> its done as a copy of of v3.10 kernel apparmor into v3.2 (first patch) and >> then the series of patches needed to make it work on 3.2. >> >> >> specifically you want >> The following changes since commit 877fcbee0f25072e41e3e7ce3210951ca6d40a10: >> >> Linux 3.2 (2013-06-30 05:22:04 -0700) >> >> are available in the git repository at: >> >> git://kernel.ubuntu.com/jj/ubuntu-saucy.git v3.2-backport-of-v3.10-apparmor >> >> for you to fetch changes up to 958b96ce2184a526dd83b7725d498acc5f99425c: >> >> UBUNTU: SAUCE: apparmor: 3.2 backport revert umode_t in chmode 910f4ece >> (2013-06-30 05:22:20 -0700) > > > Sorry, i'm not very experienced with git. I downloaded that branch by: > git clone -b v3.2-backport-of-v3.10-apparmor > git://kernel.ubuntu.com/jj/ubuntu-saucy.git > > but don't know what to do next - how can i 'filter' commits from > '877fcbee0f25072e41e3e7ce3210951ca6d40a10' to > '958b96ce2184a526dd83b7725d498acc5f99425c'? > you can dump out the patches by changing into the git trees directory and then doing
git format-patch 877fcbee0f25072e41e3e7ce3210951ca6d40a10..958b96ce2184a526dd83b7725d498acc5f99425c -o patches/ the patches directory can be named anything you want and has to be created before the git command, if you leave off the -o patches bit will dump the series into your cwd directory which can be a bit of a mess since its 19 patches here. Each of the patches will start with a number 0001-, 0002-, ... in the order they are supposed to be supplied -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor