Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#60870 - [audit] ausearch does not support AppArmor entries

Attached to Project: Arch Linux
Opened by Maciek Borzecki (bboozzoo) - Tuesday, 20 November 2018, 10:04 GMT
Last edited by Doug Newgard (Scimmia) - Sunday, 09 December 2018, 20:15 GMT
Task Type Bug Report
Category Packages: Core
Status Assigned
Assigned To Levente Polyak (anthraxx)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No



Using ausearch -m AVC does not list AppArmor related audit logs. Running with --debug, ausearch reports AppArmor events are malformed.

Additional info:
* package versions:
apparmor 2.13.1-3
audit 2.8.4-2

* default audit config

Steps to reproduce:
* cause AppArmor denial
* ausearch -m AVC does not list the denial
* ausearch -m AVC --debug lists AppArmor denials, eg:

$ ausearch -ts today --debug
time->Tue Nov 20 07:06:20 2018
type=SERVICE_STOP msg=audit(1542693980.189:309): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=systemd-coredump@7-25644-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Malformed event skipped, rc=9. type=AVC msg=audit(1542697043.919:310): apparmor="DENIED" operation="mknod" profile="snap.hello-world.evil" name="/var/tmp/myevil.txt" pid=3261 comm="evil" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Malformed event skipped, rc=9. type=AVC msg=audit(1542697046.866:311): apparmor="DENIED" operation="mknod" profile="snap.hello-world.evil" name="/var/tmp/myevil.txt" pid=3285 comm="evil" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
This task depends upon

Comment by Levente Polyak (anthraxx) - Tuesday, 20 November 2018, 13:37 GMT
why is this a audit issue? This should be related to apparmor profiles that just trigger audit log entries
Comment by Maciek Borzecki (bboozzoo) - Tuesday, 20 November 2018, 14:35 GMT
AFAICT the denials always end up in audit.log, that's handled by auditd. I've tracked down the problem to this patch which is already applied in openSUSE. Rebuilding the package locally with the patch and `--with-apparmor` makes ausearch properly show the new entries and ones that were logged before.

Let me know if I can be of any help.
Comment by Levente Polyak (anthraxx) - Tuesday, 20 November 2018, 15:32 GMT
The patch is over 4 years old and nothing that supports it was ever properly up streamed.

You should trigger this discussion with the upstream author and convince them to have something like an #ifdef or similar that was already mentioned once.
We don't want to carry around feature sensitive custom patches for all eternity, if you want to see this happening we gonna need a good solution to be upstreamed that makes the author and apparmor users both happy.

TLDR: please bring this upstream and trigger a solution there, last one is 4 years old.
Comment by Maciek Borzecki (bboozzoo) - Tuesday, 20 November 2018, 16:59 GMT
Thanks. I'll try to work with the upstream and see where that gets me.
Comment by Levente Polyak (anthraxx) - Tuesday, 20 November 2018, 17:02 GMT
Yes, please do! It doesn't make sense to let all the distros carry around the very same patch if it can be upstreamed to at least let everyone properly use the same. no crazy amount of testing needs to be done from the author. an #ifdef could be enough as distros will switch that on themselves when needed, i don't quite see the downside compared to all linux distros copying a patch over and over again.
Comment by Jake Kreiger (Magali75) - Tuesday, 20 November 2018, 17:22 GMT Comment by Levente Polyak (anthraxx) - Monday, 01 April 2019, 20:59 GMT
any updates on this upstream issue?
Comment by Maciek Borzecki (bboozzoo) - Tuesday, 02 April 2019, 16:58 GMT
Sorry. Life & work caught up with me. I'll try to sort this out with upstream this week.
Comment by Maciek Borzecki (bboozzoo) - Wednesday, 03 April 2019, 06:15 GMT