>>>>>>>>>>>>> Hi, >>>>>>>>>>>>> >>>>>>>>>>>>> i'm having problems with audit rule modifier - it's just not >>>>>>>>>>>>> working when used alone. I'm trying to enable only logging with >>>>>>>>>>>>> this: >>>>>>>>>>>>> audit /home/** a, >>>>>>>>>>>>> audit /home/** w, >>>>>>>>>>>> By only logging you mean logging of an access but not granting >>>>>>>>>>>> permission? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I mean logging of an access AND granting permission. >>>>>>>>>>> >>>>>>>>>> ok, I just wanted to be sure as we have had misunderstandings before >>>>>>>>>> around audit, with people expecting it to only change the auditing >>>>>>>>>> behavior and not grant permissions. >>>>>>>>>> >>>>>>>>>> ie. audit /** w, >>>>>>>>>> >>>>>>>>>> as a rule to catch any writes regardless of what other rules are. It >>>>>>>>>> would be a nice ability to have but the language doesn't allow >>>>>>>>>> specifying only the audit behavior like this atm. >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> It should work according to documentation ( >>>>>>>>>>>>> http://wiki.apparmor.net/index.php/QuickProfileLanguage#Rule_Modifiers >>>>>>>>>>>>> ) but it's doing nothing. I was able to enable logging only with >>>>>>>>>>>>> this running in complain mode: >>>>>>>>>>>>> audit deny /home/**/*.php a, >>>>>>>>>>>>> audit deny /home/**/*.php w, >>>>>>>>>>>>> >>>>>>>>>>>> these two rules where necessary to get logging in complain mode? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Well, i just read in docs that 'w' implies also 'a', so only the >>>>>>>>>>> second line is necessary. But yes, i had to use 'audit deny' for >>>>>>>>>>> logging to work (and, as i want to NOT deny the action, i had to >>>>>>>>>>> use complain mode). >>>>>>>>>>> >>>>>>>>>> Okay >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>>> Audit alone it not working. Is this a known bug? Thanks. >>>>>>>>>>>>> >>>>>>>>>>>> It is not known. >>>>>>>>>>>> >>>>>>>>>>>> Can you send us the full profile you are using? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Here is the complete profile (i already removed that 'a' line and >>>>>>>>>>> tested it): >>>>>>>>>>> >>>>>>>>>>> /usr/lib/apache2/mpm-itk/apache2 { >>>>>>>>>>> network, >>>>>>>>>>> capability, >>>>>>>>>>> file, >>>>>>>>>>> audit deny /home/**/*.php w, >>>>>>>>>>> } >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> As i said, i'm running this in complain mode because i don't want >>>>>>>>>>> to deny the action on last line. I want to use apparmor only for >>>>>>>>>>> logging access to files via PHP (i will be processing that log >>>>>>>>>>> later). >>>>>>>>>>> >>>>>>>>>> Can you please provide the following information to help as diagnose >>>>>>>>>> the problem. >>>>>>>>>> >>>>>>>>>> Kernel version: use the command uname -a >>>>>>>>>> Parser version: use the command apparmor_parser -v >>>>>>>>>> State dump from the compiler: use the command >>>>>>>>>> apparmor_parser -D dfa-states -QT profile_file 2>states_file >>>>>>>>>> >>>>>>>>>> Compiled output of your profile: use either of the following commands >>>>>>>>>> apparmor_parser -S profile_file > output_file >>>>>>>>>> apparmor_parser -o output_file profile_file >>>>>>>>>> >>>>>>>>>> * the -o version may not work on older parsers. >>>>>>>>>> * profile_name is the file name where your profile is stored >>>>>>>>>> * states_file and out_file are just file that the output will be >>>>>>>>>> dumped in. So that you can attach them >>>>>>>>> >>>>>>>>> Kernel version: 3.2.47 >>>>>>>>> Parser version: 2.7.103 (it was the -V switch) >>>>>>>> oops sorry >>>>>>>> >>>>>>>>> Client software are packages from Debian Wheezy running on Debian >>>>>>>>> Squeeze. I'm using my own kernel patched with grsecurity. >>>>>>>>> >>>>>>>> Okay, is this kernel derived from Debian Wheezy, upstream, ubuntu? >>>>>>> >>>>>>> >>>>>>> >>>>>>> It's vanilla kernel downloaded directly from kernel.org + grsecurity >>>>>>> from grsecurity.org. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>>> Attaching 3 files from that 3 commands. Last two commands printed >>>>>>>>> this warning (probably ok): >>>>>>>>> Warning: found apache2 in /etc/apparmor.d/force-complain, forcing >>>>>>>>> complain mode >>>>>>>>> >>>>>>>> yes that is fine, but thanks for the heads up >>>>>>>> >>>>>>>>> To avoid misunderstanding: I'm currently using this profile (in >>>>>>>>> complain mode): >>>>>>>>> >>>>>>>>> /usr/lib/apache2/mpm-itk/apache2 { >>>>>>>>> network, >>>>>>>>> capability, >>>>>>>>> file, >>>>>>>>> audit deny /home/**/*.php w, >>>>>>>>> } >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> But i WANT to use this profile (not in complain mode): >>>>>>>>> /usr/lib/apache2/mpm-itk/apache2 { >>>>>>>>> network, >>>>>>>>> capability, >>>>>>>>> file, >>>>>>>>> audit /home/**/*.php w, >>>>>>>>> } >>>>>>>>> >>>>>>>>> Logging is working only in the first one so i'm forced to use it >>>>>>>>> instead of second one. Hope i'm clear enough. Thank you. >>>>>>>>> >>>>>>>> Okay, the output of the compiler for the first one looks good, I still >>>>>>>> need to look at the kernel side (waiting for confirmation on the >>>>>>>> patchset there). >>>>>>>> >>>>>>>> Can you attach the same set of compiler out for the second profile >>>>>>>> (without the deny) so I can check it as well. >>>>>>> >>>>>> thanks >>>>>> >>>>>> so commit ade3ddc01e2e426cc24c744be85dcaad4e8f8aba which first showed up >>>>>> in v3.4 looks like it might fix this for you. >>>>>> >>>>>> Also would you be interested in a backport version of apparmor to the >>>>>> 3.2 kernel? Basically we now have the current upstream v3.10 version >>>>>> backported to 3.2 as a drop in replacement (no abi changes, or touching >>>>>> the rest of the kernel tree). The 3.10 version has several bug fixes >>>>>> that are not present in the 3.2 kernel version. >>>>> >>>>> >>>>> This would be really cool if you'll be so kind :) I cannot move out from >>>>> 3.2 yet because of grsecurity (stable version is currently for 3.2). >>>>> Thank you! >>>>> >>>> there is a v3.2-backport-of-v3.10-apparmor branch at >>>> git://kernel.ubuntu.com/jj/ubuntu-saucy.git v3.2-backport-of-v3.10-apparmor >>>> >>>> its done as a copy of of v3.10 kernel apparmor into v3.2 (first patch) and >>>> then the series of patches needed to make it work on 3.2. >>>> >>>> >>>> specifically you want >>>> The following changes since commit >>>> 877fcbee0f25072e41e3e7ce3210951ca6d40a10: >>>> >>>> Linux 3.2 (2013-06-30 05:22:04 -0700) >>>> >>>> are available in the git repository at: >>>> >>>> git://kernel.ubuntu.com/jj/ubuntu-saucy.git >>>> v3.2-backport-of-v3.10-apparmor >>>> >>>> for you to fetch changes up to 958b96ce2184a526dd83b7725d498acc5f99425c: >>>> >>>> UBUNTU: SAUCE: apparmor: 3.2 backport revert umode_t in chmode 910f4ece >>>> (2013-06-30 05:22:20 -0700) >>> >>> >>> Sorry, i'm not very experienced with git. I downloaded that branch by: >>> git clone -b v3.2-backport-of-v3.10-apparmor >>> git://kernel.ubuntu.com/jj/ubuntu-saucy.git >>> >>> but don't know what to do next - how can i 'filter' commits from >>> '877fcbee0f25072e41e3e7ce3210951ca6d40a10' to >>> '958b96ce2184a526dd83b7725d498acc5f99425c'? >>> >> you can dump out the patches by changing into the git trees directory and >> then doing >> >> git format-patch >> 877fcbee0f25072e41e3e7ce3210951ca6d40a10..958b96ce2184a526dd83b7725d498acc5f99425c >> -o patches/ >> >> the patches directory can be named anything you want and has to be created >> before the git command, if you leave off the -o patches bit will dump the >> series into your cwd directory which can be a bit of a mess since its 19 >> patches here. >> >> Each of the patches will start with a number 0001-, 0002-, ... in the order >> they are supposed to be supplied >> >> >One more thing I forgot to add. This is a pure upstream backport and doesn't >have >the compatibility or networking patches in it. These patches should apply if >not, >let me know and it shouldn't take long to get them to apply.
Unfortunately, there are lots of failures when appling patches to 3.2.48 + grsecurity :( grsec is touching also apparmor. Thank you very much anyway. azur -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor