Mailinglist Archive: opensuse-bugs (10049 mails)

< Previous Next >
[Bug 234491] New: aa-eventd does not handle/record all types of events apparmor generates
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Sat, 13 Jan 2007 01:25:03 -0700 (MST)
  • Message-id: <bug-234491-21960@xxxxxxxxxxxxxxxxxxxxxxxxx/>
https://bugzilla.novell.com/show_bug.cgi?id=234491

Summary: aa-eventd does not handle/record all types of events
apparmor generates
Product: openSUSE 10.2
Version: Final
Platform: Other
OS/Version: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: AppArmor
AssignedTo: jmichael@xxxxxxxxxx
ReportedBy: sbeattie@xxxxxxxxxx
QAContact: dreynolds@xxxxxxxxxx
CC: jjohansen@xxxxxxxxxx


The apparmor event monitoring daemon aa-eeventd does not handle all of the
different types of apparmor events, if its logfile is to be believed. Running
the apparmor regression tests with it enabled generates the following message
types in its log:

Unhandled log message: type=APPARMOR msg=audit(1168674927.272:3454):
REJECTING access to syscall 'ptrace' (syscall_ptrace(21866) profile
/home/steve/svn/trunk-forge/tests/regression/subdomain/syscall_ptrace active
/home/steve/svn/trunk-forge/tests/regression/subdomain/syscall_ptrace)

(there are other syscall types that are not handled either, I'm not reproducing
here)

Unhandled log message: Jan 12 23:56:33 kryten kernel: AppArmor: KILLING
process changehat_twice(5170) Invalid change_hat() magic# 0x528ee0d6 (hatname
sub2 profile
/home/steve/svn/trunk-forge/tests/regression/subdomain/changehat_twice active
sub)

Unhandled log message: Jan 12 23:56:33 kryten kernel: AppArmor:
aa_setprocattr_changehat: Invalid input '^open'

Unhandled log message: Jan 12 23:56:41 kryten kernel: AppArmor: REJECTING
exec(2) of image '/bin/true'. Profile mandatory and not found (exec(6349)
profile /home/steve/svn/trunk-forge/tests/regression/subdomain/exec active
/home/steve/svn/trunk-forge/tests/regression/subdomain/exec)

Unhandled log message: Jan 12 23:56:53 kryten kernel: AppArmor:
aa_get_execmode: Inconsistency in profile
/home/steve/svn/trunk-forge/tests/regression/subdomain/exec_qual. Two (or more)
patterns specify conflicting exec qualifiers ('u', 'i' or 'p') for image
/home/steve/svn/trunk-forge/tests/regression/subdomain/exec_qual2

Unhandled log message: Jan 12 23:56:53 kryten kernel: AppArmor: aa_register:
Rejecting exec(2) of image
'/home/steve/svn/trunk-forge/tests/regression/subdomain/exec_qual2'. Unable to
determine exec qualifier (exec_qual (pid 6792) profile
/home/steve/svn/trunk-forge/tests/regression/subdomain/exec_qual active
/home/steve/svn/trunk-forge/tests/regression/subdomain/exec_qual)

Unhandled log message: type=APPARMOR msg=audit(1168675083.021:4783):
REJECTING mkdir on /tmp/sdtest.26474-22850-K26481/tmpdir (mkdir(26534) profile
/home/steve/svn/trunk-forge/tests/regression/subdomain/mkdir active
/home/steve/svn/trunk-forge/tests/regression/subdomain/mkdir)

Unhandled log message: type=APPARMOR msg=audit(1168675083.053:4784):
REJECTING rmdir on /tmp/sdtest.26474-22850-K26481/tmpdir (mkdir(26539) profile
/home/steve/svn/trunk-forge/tests/regression/subdomain/mkdir active
/home/steve/svn/trunk-forge/tests/regression/subdomain/mkdir)

Unhandled log message: Jan 12 23:58:32 kryten kernel: AppArmor:
aa_change_hat: open, 0x8c235e39 (pid 29215)

(the above is a change_hat call made with the audit flag set, I think.)

Unhandled log message: type=APPARMOR msg=audit(1168675119.635:5083):
REJECTING xattr set on /tmp/sdtest.30779-12976-V30786/testfile (xattrs(30842)
profile /home/steve/svn/trunk-forge/tests/regression/subdomain/xattrs active
/home/steve/svn/trunk-forge/tests/regression/subdomain/xattrs)

Unhandled log message: type=APPARMOR msg=audit(1168675120.043:5091):
REJECTING xattr remove on /tmp/sdtest.30779-12976-V30786/testfile
(xattrs(30981) profile
/home/steve/svn/trunk-forge/tests/regression/subdomain/xattrs active
/home/steve/svn/trunk-forge/tests/regression/subdomain/xattrs)

Unhandled log message: Jan 13 00:18:48 kryten kernel: AppArmor: An error
occured while translating dentry e35e984c inode# <negative> to a pathname.
Error -36

Unhandled log message: Jan 13 00:18:48 kryten kernel: AppArmor: Internal
error auditing event type 1 (error -36)

Unhandled log message: type=APPARMOR msg=audit(1168676328.911:5124): Internal
error auditing event type 1 (error -36)

(these last three are from the longpath.sh test, which isn't run by default.)

I could see possibly not including the invalid input to changehat error
message, but the rest are, as far as I can tell, all security sensitive and
ought to be included.

There's also the related bugs that (a) a number of these messages aren't coming
out through the audit subsystem but via dmesg instead; and (b) a subset of
those aren't particularly clear as to what exactly they mean.


--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

< Previous Next >
Follow Ups