https://bugzilla.novell.com/show_bug.cgi?id=234491 Summary: aa-eventd does not handle/record all types of events apparmor generates Product: openSUSE 10.2 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: jmichael@novell.com ReportedBy: sbeattie@novell.com QAContact: dreynolds@novell.com CC: jjohansen@novell.com The apparmor event monitoring daemon aa-eeventd does not handle all of the different types of apparmor events, if its logfile is to be believed. Running the apparmor regression tests with it enabled generates the following message types in its log: Unhandled log message: type=APPARMOR msg=audit(1168674927.272:3454): REJECTING access to syscall 'ptrace' (syscall_ptrace(21866) profile /home/steve/svn/trunk-forge/tests/regression/subdomain/syscall_ptrace active /home/steve/svn/trunk-forge/tests/regression/subdomain/syscall_ptrace) (there are other syscall types that are not handled either, I'm not reproducing here) Unhandled log message: Jan 12 23:56:33 kryten kernel: AppArmor: KILLING process changehat_twice(5170) Invalid change_hat() magic# 0x528ee0d6 (hatname sub2 profile /home/steve/svn/trunk-forge/tests/regression/subdomain/changehat_twice active sub) Unhandled log message: Jan 12 23:56:33 kryten kernel: AppArmor: aa_setprocattr_changehat: Invalid input '^open' Unhandled log message: Jan 12 23:56:41 kryten kernel: AppArmor: REJECTING exec(2) of image '/bin/true'. Profile mandatory and not found (exec(6349) profile /home/steve/svn/trunk-forge/tests/regression/subdomain/exec active /home/steve/svn/trunk-forge/tests/regression/subdomain/exec) Unhandled log message: Jan 12 23:56:53 kryten kernel: AppArmor: aa_get_execmode: Inconsistency in profile /home/steve/svn/trunk-forge/tests/regression/subdomain/exec_qual. Two (or more) patterns specify conflicting exec qualifiers ('u', 'i' or 'p') for image /home/steve/svn/trunk-forge/tests/regression/subdomain/exec_qual2 Unhandled log message: Jan 12 23:56:53 kryten kernel: AppArmor: aa_register: Rejecting exec(2) of image '/home/steve/svn/trunk-forge/tests/regression/subdomain/exec_qual2'. Unable to determine exec qualifier (exec_qual (pid 6792) profile /home/steve/svn/trunk-forge/tests/regression/subdomain/exec_qual active /home/steve/svn/trunk-forge/tests/regression/subdomain/exec_qual) Unhandled log message: type=APPARMOR msg=audit(1168675083.021:4783): REJECTING mkdir on /tmp/sdtest.26474-22850-K26481/tmpdir (mkdir(26534) profile /home/steve/svn/trunk-forge/tests/regression/subdomain/mkdir active /home/steve/svn/trunk-forge/tests/regression/subdomain/mkdir) Unhandled log message: type=APPARMOR msg=audit(1168675083.053:4784): REJECTING rmdir on /tmp/sdtest.26474-22850-K26481/tmpdir (mkdir(26539) profile /home/steve/svn/trunk-forge/tests/regression/subdomain/mkdir active /home/steve/svn/trunk-forge/tests/regression/subdomain/mkdir) Unhandled log message: Jan 12 23:58:32 kryten kernel: AppArmor: aa_change_hat: open, 0x8c235e39 (pid 29215) (the above is a change_hat call made with the audit flag set, I think.) Unhandled log message: type=APPARMOR msg=audit(1168675119.635:5083): REJECTING xattr set on /tmp/sdtest.30779-12976-V30786/testfile (xattrs(30842) profile /home/steve/svn/trunk-forge/tests/regression/subdomain/xattrs active /home/steve/svn/trunk-forge/tests/regression/subdomain/xattrs) Unhandled log message: type=APPARMOR msg=audit(1168675120.043:5091): REJECTING xattr remove on /tmp/sdtest.30779-12976-V30786/testfile (xattrs(30981) profile /home/steve/svn/trunk-forge/tests/regression/subdomain/xattrs active /home/steve/svn/trunk-forge/tests/regression/subdomain/xattrs) Unhandled log message: Jan 13 00:18:48 kryten kernel: AppArmor: An error occured while translating dentry e35e984c inode# <negative> to a pathname. Error -36 Unhandled log message: Jan 13 00:18:48 kryten kernel: AppArmor: Internal error auditing event type 1 (error -36) Unhandled log message: type=APPARMOR msg=audit(1168676328.911:5124): Internal error auditing event type 1 (error -36) (these last three are from the longpath.sh test, which isn't run by default.) I could see possibly not including the invalid input to changehat error message, but the rest are, as far as I can tell, all security sensitive and ought to be included. There's also the related bugs that (a) a number of these messages aren't coming out through the audit subsystem but via dmesg instead; and (b) a subset of those aren't particularly clear as to what exactly they mean. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.