On 07/03/2013 12:42 AM, azurIt wrote: >>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>> >>>>>>>>>>>>>> i'm having problems with audit rule modifier - it's just not >>>>>>>>>>>>>> working when used alone. I'm trying to enable only logging with >>>>>>>>>>>>>> this: >>>>>>>>>>>>>> audit /home/** a, >>>>>>>>>>>>>> audit /home/** w, >>>>>>>>>>>>> By only logging you mean logging of an access but not granting >>>>>>>>>>>>> permission? >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> I mean logging of an access AND granting permission. >>>>>>>>>>>> >>>>>>>>>>> ok, I just wanted to be sure as we have had misunderstandings >>>>>>>>>>> before around audit, with people expecting it to only change the >>>>>>>>>>> auditing behavior and not grant permissions. >>>>>>>>>>> >>>>>>>>>>> ie. audit /** w, >>>>>>>>>>> >>>>>>>>>>> as a rule to catch any writes regardless of what other rules are. >>>>>>>>>>> It would be a nice ability to have but the language doesn't allow >>>>>>>>>>> specifying only the audit behavior like this atm. >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> It should work according to documentation ( >>>>>>>>>>>>>> http://wiki.apparmor.net/index.php/QuickProfileLanguage#Rule_Modifiers >>>>>>>>>>>>>> ) but it's doing nothing. I was able to enable logging only >>>>>>>>>>>>>> with this running in complain mode: >>>>>>>>>>>>>> audit deny /home/**/*.php a, >>>>>>>>>>>>>> audit deny /home/**/*.php w, >>>>>>>>>>>>>> >>>>>>>>>>>>> these two rules where necessary to get logging in complain mode? >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Well, i just read in docs that 'w' implies also 'a', so only the >>>>>>>>>>>> second line is necessary. But yes, i had to use 'audit deny' for >>>>>>>>>>>> logging to work (and, as i want to NOT deny the action, i had to >>>>>>>>>>>> use complain mode). >>>>>>>>>>>> >>>>>>>>>>> Okay >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>>> Audit alone it not working. Is this a known bug? Thanks. >>>>>>>>>>>>>> >>>>>>>>>>>>> It is not known. >>>>>>>>>>>>> >>>>>>>>>>>>> Can you send us the full profile you are using? >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Here is the complete profile (i already removed that 'a' line and >>>>>>>>>>>> tested it): >>>>>>>>>>>> >>>>>>>>>>>> /usr/lib/apache2/mpm-itk/apache2 { >>>>>>>>>>>> network, >>>>>>>>>>>> capability, >>>>>>>>>>>> file, >>>>>>>>>>>> audit deny /home/**/*.php w, >>>>>>>>>>>> } >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> As i said, i'm running this in complain mode because i don't want >>>>>>>>>>>> to deny the action on last line. I want to use apparmor only for >>>>>>>>>>>> logging access to files via PHP (i will be processing that log >>>>>>>>>>>> later). >>>>>>>>>>>> >>>>>>>>>>> Can you please provide the following information to help as >>>>>>>>>>> diagnose the problem. >>>>>>>>>>> >>>>>>>>>>> Kernel version: use the command uname -a >>>>>>>>>>> Parser version: use the command apparmor_parser -v >>>>>>>>>>> State dump from the compiler: use the command >>>>>>>>>>> apparmor_parser -D dfa-states -QT profile_file 2>states_file >>>>>>>>>>> >>>>>>>>>>> Compiled output of your profile: use either of the following >>>>>>>>>>> commands >>>>>>>>>>> apparmor_parser -S profile_file > output_file >>>>>>>>>>> apparmor_parser -o output_file profile_file >>>>>>>>>>> >>>>>>>>>>> * the -o version may not work on older parsers. >>>>>>>>>>> * profile_name is the file name where your profile is stored >>>>>>>>>>> * states_file and out_file are just file that the output will be >>>>>>>>>>> dumped in. So that you can attach them >>>>>>>>>> >>>>>>>>>> Kernel version: 3.2.47 >>>>>>>>>> Parser version: 2.7.103 (it was the -V switch) >>>>>>>>> oops sorry >>>>>>>>> >>>>>>>>>> Client software are packages from Debian Wheezy running on Debian >>>>>>>>>> Squeeze. I'm using my own kernel patched with grsecurity. >>>>>>>>>> >>>>>>>>> Okay, is this kernel derived from Debian Wheezy, upstream, ubuntu? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> It's vanilla kernel downloaded directly from kernel.org + grsecurity >>>>>>>> from grsecurity.org. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>> Attaching 3 files from that 3 commands. Last two commands printed >>>>>>>>>> this warning (probably ok): >>>>>>>>>> Warning: found apache2 in /etc/apparmor.d/force-complain, forcing >>>>>>>>>> complain mode >>>>>>>>>> >>>>>>>>> yes that is fine, but thanks for the heads up >>>>>>>>> >>>>>>>>>> To avoid misunderstanding: I'm currently using this profile (in >>>>>>>>>> complain mode): >>>>>>>>>> >>>>>>>>>> /usr/lib/apache2/mpm-itk/apache2 { >>>>>>>>>> network, >>>>>>>>>> capability, >>>>>>>>>> file, >>>>>>>>>> audit deny /home/**/*.php w, >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> But i WANT to use this profile (not in complain mode): >>>>>>>>>> /usr/lib/apache2/mpm-itk/apache2 { >>>>>>>>>> network, >>>>>>>>>> capability, >>>>>>>>>> file, >>>>>>>>>> audit /home/**/*.php w, >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> Logging is working only in the first one so i'm forced to use it >>>>>>>>>> instead of second one. Hope i'm clear enough. Thank you. >>>>>>>>>> >>>>>>>>> Okay, the output of the compiler for the first one looks good, I >>>>>>>>> still need to look at the kernel side (waiting for confirmation on >>>>>>>>> the patchset there). >>>>>>>>> >>>>>>>>> Can you attach the same set of compiler out for the second profile >>>>>>>>> (without the deny) so I can check it as well. >>>>>>>> >>>>>>> thanks >>>>>>> >>>>>>> so commit ade3ddc01e2e426cc24c744be85dcaad4e8f8aba which first showed >>>>>>> up in v3.4 looks like it might fix this for you. >>>>>>> >>>>>>> Also would you be interested in a backport version of apparmor to the >>>>>>> 3.2 kernel? Basically we now have the current upstream v3.10 version >>>>>>> backported to 3.2 as a drop in replacement (no abi changes, or touching >>>>>>> the rest of the kernel tree). The 3.10 version has several bug fixes >>>>>>> that are not present in the 3.2 kernel version. >>>>>> >>>>>> >>>>>> This would be really cool if you'll be so kind :) I cannot move out from >>>>>> 3.2 yet because of grsecurity (stable version is currently for 3.2). >>>>>> Thank you! >>>>>> >>>>> there is a v3.2-backport-of-v3.10-apparmor branch at >>>>> git://kernel.ubuntu.com/jj/ubuntu-saucy.git >>>>> v3.2-backport-of-v3.10-apparmor >>>>> >>>>> its done as a copy of of v3.10 kernel apparmor into v3.2 (first patch) and >>>>> then the series of patches needed to make it work on 3.2. >>>>> >>>>> >>>>> specifically you want >>>>> The following changes since commit >>>>> 877fcbee0f25072e41e3e7ce3210951ca6d40a10: >>>>> >>>>> Linux 3.2 (2013-06-30 05:22:04 -0700) >>>>> >>>>> are available in the git repository at: >>>>> >>>>> git://kernel.ubuntu.com/jj/ubuntu-saucy.git >>>>> v3.2-backport-of-v3.10-apparmor >>>>> >>>>> for you to fetch changes up to 958b96ce2184a526dd83b7725d498acc5f99425c: >>>>> >>>>> UBUNTU: SAUCE: apparmor: 3.2 backport revert umode_t in chmode 910f4ece >>>>> (2013-06-30 05:22:20 -0700) >>>> >>>> >>>> Sorry, i'm not very experienced with git. I downloaded that branch by: >>>> git clone -b v3.2-backport-of-v3.10-apparmor >>>> git://kernel.ubuntu.com/jj/ubuntu-saucy.git >>>> >>>> but don't know what to do next - how can i 'filter' commits from >>>> '877fcbee0f25072e41e3e7ce3210951ca6d40a10' to >>>> '958b96ce2184a526dd83b7725d498acc5f99425c'? >>>> >>> you can dump out the patches by changing into the git trees directory and >>> then doing >>> >>> git format-patch >>> 877fcbee0f25072e41e3e7ce3210951ca6d40a10..958b96ce2184a526dd83b7725d498acc5f99425c >>> -o patches/ >>> >>> the patches directory can be named anything you want and has to be created >>> before the git command, if you leave off the -o patches bit will dump the >>> series into your cwd directory which can be a bit of a mess since its 19 >>> patches here. >>> >>> Each of the patches will start with a number 0001-, 0002-, ... in the order >>> they are supposed to be supplied >>> >>> >> One more thing I forgot to add. This is a pure upstream backport and doesn't >> have >> the compatibility or networking patches in it. These patches should apply if >> not, >> let me know and it shouldn't take long to get them to apply. > > > > John, > > i applied commit ade3ddc01e2e426cc24c744be85dcaad4e8f8aba, which was suppose > to fix my problems with audit, to 3.2.48 but it still doesn't work as i > expected. This profile still not triggers the audit (enforce mode): > hrmmm that is unfortunate. I'll have to poke some more maybe there was another audit patch I missed > /usr/lib/apache2/mpm-itk/apache2 { > network, > capability, > file, > audit /home/**/*.php w, > } > > > > > But this one is working: > > /usr/lib/apache2/mpm-itk/apache2 { > network, > capability, > audit file, > } > > > Maybe the 'file' line is overwriting my audit modifier as last line is only a > subset of 'file'? > no file is just short hand for all perms on /**, and when I looked at the compiler output I definitely saw the audit flags set
> Also, one strange thing (probably bug) appears - no matter how and if i set > audit, kernel is *always* logging all 'getattr' operations related to my > profile: > > Jul 3 09:39:52 server07 kernel: [36159.486984] type=1400 > audit(1372837192.188:947801176): apparmor="AUDIT" operation="getattr" > parent=10071 profile="/usr/lib/apache2/mpm-itk/apache2" name="/etc/group" > pid=14199 comm="apache2" requested_mask="r" fsuid=0 ouid=0 > ha, I remember that bug, I'll dig and find which commit fixes it > Any ideas? Thank you. > > azur > -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor