Debdiff for Resolute ** Patch added: "lp1117804-resolute-3.debdiff" https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1117804/+attachment/5982102/+files/lp1117804-resolute-3.debdiff -- You received this bug notification because you are subscribed to linux in Ubuntu. Matching subscriptions: Bgg, Bmail, Nb https://bugs.launchpad.net/bugs/1117804 Title: ausearch doesn't show AppArmor denial messages Status in AppArmor: Confirmed Status in audit package in Ubuntu: In Progress Status in linux package in Ubuntu: Invalid Status in audit source package in Jammy: In Progress Status in audit source package in Noble: In Progress Status in audit source package in Questing: Won't Fix Status in audit source package in Resolute: In Progress Status in audit source package in Stonking: In Progress Bug description: [ Impact ] * The following command should display all AppArmor AVC events: `ausearch --message AVC`; however, it doesn't work: ``` yachie@virtual:/etc/apparmor.d$ ausearch --message AVC <no matches> ``` * Users currently must inspect `/var/log/audit.log` to find the missing AppArmor AVC events: ``` yachie@virtual:/etc/apparmor.d$ sudo cat /var/log/audit.log type=AVC msg=audit(1774470501.870:1117918): apparmor="DENIED" operation="open" class="file" profile="rsyslogd" name="/proc/2009624/cmdline" pid=106062 comm="in:imuxsock" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 FSUID="root" OUID="root" type=AVC msg=audit(1774470501.927:1117919): apparmor="DENIED" operation="open" class="file" profile="rsyslogd" name="/proc/2009636/cmdline" pid=106062 comm="in:imuxsock" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 FSUID="root" OUID="root" ``` * The root cause is that `ausearch` is checking for a `tclass` field in the AppArmor events, because AppArmor is using event id `1400` (assigned to SELinux) instead of `1500`. * AppArmor events don't have a `tclass` field, so `ausearch` treats every AppArmor event as 'malformed' and hides them. We can reveal the 'malformed' events with the `--debug` flag: ``` yachie@virtual:~$ ausearch --message AVC --debug ( ... a ton of unrelated events ... ) Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.176:616): apparmor="AUDIT" operation="change_onexec" class="file" info="change_profile unprivileged unconfined converted to stacking" profile="unconfined" name="lsb_release" pid=5443 comm="aa-exec" Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:617): apparmor="DENIED" operation="open" class="file" profile="lsb_release" name="/etc/nsswitch.conf" pid=5443 comm="bash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:618): apparmor="DENIED" operation="open" class="file" profile="lsb_release" name="/etc/passwd" pid=5443 comm="bash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:619): apparmor="DENIED" operation="open" class="file" profile="lsb_release" name="/etc/bash.bashrc" pid=5443 comm="bash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:620): apparmor="DENIED" operation="open" class="file" profile="lsb_release" name="/home/yachie/.bashrc" pid=5443 comm="bash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:621): apparmor="DENIED" operation="open" class="file" profile="lsb_release" name="/home/yachie/.bash_history" pid=5443 comm="bash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:622): apparmor="DENIED" operation="open" class="file" profile="lsb_release" name="/home/yachie/.bash_history" pid=5443 comm="bash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:623): apparmor="DENIED" operation="open" class="file" profile="lsb_release" name="/etc/inputrc" pid=5443 comm="bash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 <no matches> ``` * This bug makes `auditd` very difficult to use on Ubuntu: having the `auditd` package installed hides AVC events from the kernel log AND `ausearch` doesn't reveal them, making AppArmor events seemingly vanish unless you know where to look. [ Test plan ] # Install the relevant packages 1. sudo apt install apparmor auditd # Run the reproducer 2. aa-exec --profile=lsb_release bash # generates a ton of denials; see below: ``` root@jammy-vm:~# aa-exec --profile lsb_release bash bash: /etc/bash.bashrc: Permission denied bash: /root/.bashrc: Permission denied bash-5.1# exit ``` # Run `ausearch` and search for AVC events 3. ausearch --message AVC 3a. Unpatched package output (fail): ``` root@jammy-vm:~# ausearch --message AVC <no matches> ``` 3b. Patched package output (success): ``` root@jammy-vm:~# ausearch --message AVC ---- time->Tue Jul 14 21:03:18 2026 type=PROCTITLE msg=audit(1784062998.789:100): proctitle="bash" type=SYSCALL msg=audit(1784062998.789:100): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f6a7274c150 a2=80000 a3=0 items=0 ppid=562 pid=3449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/usr/bin/bash" subj=lsb_release key=(null) type=AVC msg=audit(1784062998.789:100): apparmor="DENIED" operation="open" profile="lsb_release" name="/etc/nsswitch.conf" pid=3449 comm="bash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ---- time->Tue Jul 14 21:03:18 2026 type=PROCTITLE msg=audit(1784062998.789:101): proctitle="bash" type=SYSCALL msg=audit(1784062998.789:101): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f6a7274c2ac a2=80000 a3=0 items=0 ppid=562 pid=3449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/usr/bin/bash" subj=lsb_release key=(null) type=AVC msg=audit(1784062998.789:101): apparmor="DENIED" operation="open" profile="lsb_release" name="/etc/passwd" pid=3449 comm="bash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ---- ( ...continues ) ``` [ Where problems could occur ] * Currently, all AppArmor events are treated as 'malformed' SELinux events when they are actually well-formed AppArmor events. * This patch modifies the filtration behavior of `ausearch` by making the `tclass` field optional, thus making AppArmor events be treated as well-formed SELinux events. * The regression risk with this patch is such that potentially well- formed events will be hidden by `ausearch` unintentionally, or truly malformed events will be allowed past the filter. * One major caveat is that regressions with respect to actual SELinux events are difficult to test on Ubuntu; some malformed SELinux events would potentially be allowed through the filter with this patch, or well-formed SELinux events hidden. This patch essentially trades correctness in the SELinux case for correctness in the AppArmor case. [ Other info ] * Debian likely doesn't want this patch, as Debian officially won't be making any changes until upstream does [3]. * Upstream `audit` can't move the AppArmor event id to the `1500` range any time soon. AppArmor was moved to the `1400` range to align with the Linux kernel LSM infrastructure [2]. * This patch comes from SUSE; they've been carrying it for well over a decade [4], and they seem to still be carrying it even after switching to SELinux by default [5]. Targeted releases: All currently supported releases and all releases moving forward until AppArmor moves back to the `1500` event range or Ubuntu switches to SELinux by default. [1] Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726 [2] AA using 1400 reason: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726#39 [3] Debian `wontfix` closure: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726#88 [4] SUSE KB: https://support.scc.suse.com/s/kb/audit-log-file-that-has-the-apparmor-AVC-entries-that-ausearch-can-t-read-1583239408721?language=en_US [5] SUSE Patch: https://build.opensuse.org/projects/security/packages/audit/files/audit-ausearch-do-not-require-tclass.patch [ Original bug (for posterity after over a decade) ] The following command should display all AVC denials: ausearch -m avc However, it doesn't work with AppArmor denials. Here's a quick test case to generate a denial, search for it with ausearch, and see that no messages are displayed: $ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current cat: /proc/self/attr/current: Permission denied $ sudo ausearch -m avc -c cat <no matches> ausearch claims that there are no matches, but there's a matching audit message if you look in audit.log: type=AVC msg=audit(1360193426.539:64): apparmor="DENIED" operation="open" parent=8253 profile="/usr/sbin/tcpdump" name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1117804/+subscriptions
Комментариев нет:
Отправить комментарий