Debdiff for Stonking

** Patch added: "lp1117804-stonking-3.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1117804/+attachment/5982103/+files/lp1117804-stonking-3.debdiff

-- 
You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1117804

Title:
  ausearch doesn't show AppArmor denial messages

Status in AppArmor:
  Confirmed
Status in audit package in Ubuntu:
  In Progress
Status in linux package in Ubuntu:
  Invalid
Status in audit source package in Jammy:
  In Progress
Status in audit source package in Noble:
  In Progress
Status in audit source package in Questing:
  Won't Fix
Status in audit source package in Resolute:
  In Progress
Status in audit source package in Stonking:
  In Progress

Bug description:
  [ Impact ]

   * The following command should display all AppArmor AVC events:
  `ausearch --message AVC`; however, it doesn't work:

  ```
  yachie@virtual:/etc/apparmor.d$ ausearch --message AVC
  <no matches>
  ```

   * Users currently must inspect `/var/log/audit.log` to find the
  missing AppArmor AVC events:

  ```
  yachie@virtual:/etc/apparmor.d$ sudo cat /var/log/audit.log
  type=AVC msg=audit(1774470501.870:1117918): apparmor="DENIED" 
operation="open" class="file" profile="rsyslogd" name="/proc/2009624/cmdline" 
pid=106062 comm="in:imuxsock" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 
FSUID="root" OUID="root"
  type=AVC msg=audit(1774470501.927:1117919): apparmor="DENIED" 
operation="open" class="file" profile="rsyslogd" name="/proc/2009636/cmdline" 
pid=106062 comm="in:imuxsock" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 
FSUID="root" OUID="root"
  ```

   * The root cause is that `ausearch` is checking for a `tclass` field
  in the AppArmor events, because AppArmor is using event id `1400`
  (assigned to SELinux) instead of `1500`.

   * AppArmor events don't have a `tclass` field, so `ausearch` treats
  every AppArmor event as 'malformed' and hides them. We can reveal the
  'malformed' events with the `--debug` flag:

   ```
  yachie@virtual:~$ ausearch --message AVC --debug
  ( ... a ton of unrelated events ... )
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.176:616): 
apparmor="AUDIT" operation="change_onexec" class="file" info="change_profile 
unprivileged unconfined converted to stacking" profile="unconfined" 
name="lsb_release" pid=5443 comm="aa-exec"
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:617): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/nsswitch.conf" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:618): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/passwd" pid=5443 comm="bash" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=0
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:619): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/bash.bashrc" pid=5443 comm="bash" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=0
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:620): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/home/yachie/.bashrc" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=1000
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:621): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/home/yachie/.bash_history" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=1000
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:622): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/home/yachie/.bash_history" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=1000
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:623): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/inputrc" pid=5443 comm="bash" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=0
  <no matches>
   ```

   * This bug makes `auditd` very difficult to use on Ubuntu: having the
  `auditd` package installed hides AVC events from the kernel log AND
  `ausearch` doesn't reveal them, making AppArmor events seemingly
  vanish unless you know where to look.

  [ Test plan ]

  # Install the relevant packages
  1. sudo apt install apparmor auditd

  # Run the reproducer
  2. aa-exec --profile=lsb_release bash # generates a ton of denials; see below:
  ```
  root@jammy-vm:~# aa-exec --profile lsb_release bash
  bash: /etc/bash.bashrc: Permission denied
  bash: /root/.bashrc: Permission denied
  bash-5.1#
  exit
  ```

  # Run `ausearch` and search for AVC events
  3. ausearch --message AVC

  3a. Unpatched package output (fail):
  ```
  root@jammy-vm:~# ausearch --message AVC
  <no matches>
  ```

  3b. Patched package output (success):
  ```
  root@jammy-vm:~# ausearch --message AVC
  ----
  time->Tue Jul 14 21:03:18 2026
  type=PROCTITLE msg=audit(1784062998.789:100): proctitle="bash"
  type=SYSCALL msg=audit(1784062998.789:100): arch=c000003e syscall=257 
success=no exit=-13 a0=ffffff9c a1=7f6a7274c150 a2=80000 a3=0 items=0 ppid=562 
pid=3449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/usr/bin/bash" 
subj=lsb_release key=(null)
  type=AVC msg=audit(1784062998.789:100): apparmor="DENIED" operation="open" 
profile="lsb_release" name="/etc/nsswitch.conf" pid=3449 comm="bash" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  ----
  time->Tue Jul 14 21:03:18 2026
  type=PROCTITLE msg=audit(1784062998.789:101): proctitle="bash"
  type=SYSCALL msg=audit(1784062998.789:101): arch=c000003e syscall=257 
success=no exit=-13 a0=ffffff9c a1=7f6a7274c2ac a2=80000 a3=0 items=0 ppid=562 
pid=3449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/usr/bin/bash" 
subj=lsb_release key=(null)
  type=AVC msg=audit(1784062998.789:101): apparmor="DENIED" operation="open" 
profile="lsb_release" name="/etc/passwd" pid=3449 comm="bash" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  ----
  ( ...continues )
  ```

  [ Where problems could occur ]

   * Currently, all AppArmor events are treated as 'malformed' SELinux
  events when they are actually well-formed AppArmor events.

   * This patch modifies the filtration behavior of `ausearch` by making
  the `tclass` field optional, thus making AppArmor events be treated as
  well-formed SELinux events.

   * The regression risk with this patch is such that potentially well-
  formed events will be hidden by `ausearch` unintentionally, or truly
  malformed events will be allowed past the filter.

   * One major caveat is that regressions with respect to actual SELinux
  events are difficult to test on Ubuntu; some malformed SELinux events
  would potentially be allowed through the filter with this patch, or
  well-formed SELinux events hidden. This patch essentially trades
  correctness in the SELinux case for correctness in the AppArmor case.

  [ Other info ]

   * Debian likely doesn't want this patch, as Debian officially won't
  be making any changes until upstream does [3].

   * Upstream `audit` can't move the AppArmor event id to the `1500`
  range any time soon. AppArmor was moved to the `1400` range to align
  with the Linux kernel LSM infrastructure [2].

   * This patch comes from SUSE; they've been carrying it for well over
  a decade [4], and they seem to still be carrying it even after
  switching to SELinux by default [5].

  Targeted releases: All currently supported releases and all releases
  moving forward until AppArmor moves back to the `1500` event range or
  Ubuntu switches to SELinux by default.

  [1] Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726
  [2] AA using 1400 reason: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726#39
  [3] Debian `wontfix` closure: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726#88
  [4] SUSE KB: 
https://support.scc.suse.com/s/kb/audit-log-file-that-has-the-apparmor-AVC-entries-that-ausearch-can-t-read-1583239408721?language=en_US
  [5] SUSE Patch: 
https://build.opensuse.org/projects/security/packages/audit/files/audit-ausearch-do-not-require-tclass.patch

  [ Original bug (for posterity after over a decade) ]

  The following command should display all AVC denials:

  ausearch -m avc

  However, it doesn't work with AppArmor denials. Here's a quick test
  case to generate a denial, search for it with ausearch, and see that
  no messages are displayed:

  $ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current
  cat: /proc/self/attr/current: Permission denied
  $ sudo ausearch -m avc -c cat
  <no matches>

  ausearch claims that there are no matches, but there's a matching
  audit message if you look in audit.log:

  type=AVC msg=audit(1360193426.539:64): apparmor="DENIED"
  operation="open" parent=8253 profile="/usr/sbin/tcpdump"
  name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r"
  denied_mask="r" fsuid=1000 ouid=1000

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1117804/+subscriptions


Reply via email to