[Bug 275675] New: aa-eventd not fitting to log messages of kernel
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=275675 Summary: aa-eventd not fitting to log messages of kernel Product: openSUSE 10.3 Version: Alpha 4 Platform: i586 OS/Version: openSUSE 10.3 Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: dreynolds@novell.com ReportedBy: ulrich@holeschak.de QAContact: dreynolds@novell.com I am using kernel kernel-2.6.21-8 and apparmor-utils-2.0.2-6 The new apparmor kernel generates audit messages like: type=APPARMOR msg=audit(1179416694.112:68): REJECTING r access to /home/ulrich/program (5011 profile /home/ulrich/program active /home/ulrich/program) aa-eventd tells that this message is unhandled in /var/log/apparmor/event-dispatch.log Reason: the program name is not present any more in the new audit message format. With the following patch it's at least possible to handle the messages again (But i don't know if handling is correct in all cases). Since the program name is missing now in the log i have subsituted it by the profile name ... --- /home/ulrich/archive/apparmor/aa-eventd 2007-05-17 11:18:19.000000000 +0200 +++ /usr/sbin/aa-eventd 2007-05-17 18:59:28.000000000 +0200 @@ -454,8 +454,9 @@ $mesg =~ s/%%/%/g; } - if ($mesg =~ /(PERMITTING|REJECTING|AUDITING) (\S+) access to (.+?) \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) { - my ($sdmode, $mode, $resource, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6, $7); + if ($mesg =~ /(PERMITTING|REJECTING|AUDITING) (\S+) access to (.+?) \((\d+) profile (\S+) active (\S+)\)/) { + my ($sdmode, $mode, $resource, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6); + my $prog = $profile; $profile .= "^$hat" if $profile ne $hat; @@ -493,8 +494,9 @@ push @commit_buffer, [ "path", $timestamp, $counter, $profile, $sdmode, $mode, $resource, $prog, $pid, $severity ]; $inserts++; - } elsif ($mesg =~ /(PERMITTING|REJECTING|AUDITING) link access from (.+?) to (.+?) \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) { - my ($sdmode, $link, $target, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6, $7); + } elsif ($mesg =~ /(PERMITTING|REJECTING|AUDITING) link access from (.+?) to (.+?) \((\d+) profile (\S+) active (\S+)\)/) { + my ($sdmode, $link, $target, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6); + my $prog = $profile; $profile .= "^$hat" if $profile ne $hat; @@ -531,8 +533,9 @@ push @commit_buffer, [ "link", $timestamp, $counter, $profile, $sdmode, $link, $target, $prog, $pid, $severity ]; $inserts++; - } elsif ($mesg =~ /(PERMITTING|REJECTING|AUDITING) attribute \((\S*)\) change to (.+)? \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) { - my ($sdmode, $attrch, $resource, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6, $7); + } elsif ($mesg =~ /(PERMITTING|REJECTING|AUDITING) attribute \((\S*)\) change to (.+)? \((\d+) profile (\S+) active (\S+)\)/) { + my ($sdmode, $attrch, $resource, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6); + my $prog = $profile; $profile .= "^$hat" if $profile ne $hat; @@ -569,8 +572,9 @@ push @commit_buffer, [ "chattr", $timestamp, $counter, $profile, $sdmode, $resource, $attrch, $prog, $pid, $severity ]; $inserts++; - } elsif (m/(PERMITTING|REJECTING) (?:mk|rm)dir on (.+) \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) { - my ($sdmode, $resource, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6); + } elsif (m/(PERMITTING|REJECTING) (?:mk|rm)dir on (.+) \((\d+) profile (\S+) active (\S+)\)/) { + my ($sdmode, $resource, $pid, $profile, $hat) = ($1, $2, $3, $4, $5); + my $prog = $profile; $profile .= "^$hat" if $profile ne $hat; @@ -609,8 +613,9 @@ push @commit_buffer, [ "path", $timestamp, $counter, $profile, $sdmode, $mode, $resource, $prog, $pid, $severity ]; $inserts++; - } elsif (/(PERMITTING|REJECTING) xattr (\S+) on (.+) \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) { - my ($sdmode, $xattr_op, $resource, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6, $7); + } elsif (/(PERMITTING|REJECTING) xattr (\S+) on (.+) \((\d+) profile (\S+) active (\S+)\)/) { + my ($sdmode, $xattr_op, $resource, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6); + my $prog = $profile; $profile .= "^$hat" if $profile ne $hat; @@ -655,8 +660,9 @@ push @commit_buffer, [ "path", $timestamp, $counter, $profile, $sdmode, $mode, $resource, $prog, $pid, $severity ]; $inserts++; - } elsif ($mesg =~ /(PERMITTING|REJECTING|AUDITING) access to capability '(.+?)' \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) { - my ($sdmode, $capability, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6, $7); + } elsif ($mesg =~ /(PERMITTING|REJECTING|AUDITING) access to capability '(.+?)' \((\d+) profile (\S+) active (\S+)\)/) { + my ($sdmode, $capability, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6); + my $prog = $profile; $profile .= "^$hat" if $profile ne $hat; @@ -727,8 +733,9 @@ push @commit_buffer, [ "changing_profile", $timestamp, $counter, "null-complain-profile", "PERMITTING", $pid ]; $inserts++; - } elsif ($mesg =~ /(PERMITTING|REJECTING|AUDITING) access to profile replacement \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) { - my ($sdmode, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6, $7); + } elsif ($mesg =~ /(PERMITTING|REJECTING|AUDITING) access to profile replacement \((\d+) profile (\S+) active (\S+)\)/) { + my ($sdmode, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6); + my $prog = $profile; $profile .= "^$hat" if $profile ne $hat; -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=275675 seth.arnold@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|dreynolds@novell.com |ddrewelow@novell.com ------- Comment #1 from seth.arnold@novell.com 2007-05-17 11:41 MST ------- Thanks Ulrich; David, can you take a look at Ulrich's patch? Perhaps the more correct answer is to simply remove the 'command name' from the schema and avoid using it.. the kernel won't be reporting it any longer. (Changes in kernel datastructures now place the comm information under a lock that we should not be acquiring.) Thanks -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=275675 ------- Comment #2 from ulrich@holeschak.de 2007-05-17 14:57 MST ------- The same problem is also present in: /usr/lib/perl5/vendor_perl/Immunix/SubDomain.pm -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=275675#c3
Dominic Reynolds
participants (1)
-
bugzilla_noreply@novell.com