From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tyler Hicks <tyhicks@canonical.com>
Subject: Re: [PATCH] userspace: audit: ausearch doesn't return entries for
	AppArmor events that exist in the log
Date: Thu, 29 May 2014 17:15:53 +0200
Message-ID: <20140529151553.GA12950@boyd>
References: <53866422.5010709@suse.de> <20140529083152.GA18710@boyd>
	<1848635.5JdHFUO0Yd@x2>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8793210299493126834=="
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1848635.5JdHFUO0Yd@x2>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: wpreston@suse.com, seth.arnold@canonical.com, linux-audit@redhat.com
List-Id: linux-audit@redhat.com


--===============8793210299493126834==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="vkogqOf2sHV7VnPd"
Content-Disposition: inline


--vkogqOf2sHV7VnPd
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2014-05-29 11:01:38, Steve Grubb wrote:
> On Thursday, May 29, 2014 10:31:52 AM Tyler Hicks wrote:
> > On 2014-05-28 15:33:06, Tony Jones wrote:
> > > This patch came from our L3 department.  AppArmor LSM is logging usin=
g the
> > > common_lsm_audit() call but the audit userspace parsing code expects =
to
> > > see an SELinux tclass field. This patch doesn't address the lack of
> > > support for AppArmor in "aureport --avc".  Talking to Seth Arnold,
> > > Canonical apparently has patches for this; if this is true perhaps th=
ey
> > > can post for inclusion.
> > Making the audit tools work with AppArmor generated events has been on
> > my todo list for quite a while, but no patches exist.
> >=20
> > I'm surprised that this patch makes ausearch work correctly for AppArmor
> > AVC events. The first thing that parse_avc() does is look for the
> > "avc: " term in the AVCs that SELinux generates. AppArmor's AVCs don't
> > include that string, so an.avc_result and an.avc_perm would not be set,
> > would they?
>=20
> I have a feeling a whole lot of testing is needed for apparmor, smack, to=
moyo,=20
> or any other LSM besides SE Linux. (Maybe they work fine? I don't know.)=
=20
> Ausearch/report, auparse, and auvirt would all need updating. I'd also su=
ggest=20
> sending patches to the ausearch test suite so that it can verify correctn=
ess=20
> of finding events.=20

Agreed. It felt to me like it would be a more work than just updating
parse_avc() to gain full support for other LSMs.

In addition, updating the ausearch test suite is a no-brainer so that
you can easily test with non-SELinux events.

With that said, I don't think these things should be prereqs for
Tony's patch being merged.

> One last area, perhaps the prelude plugin might need some updating as
> well....but then again the prelude project kind of died any ways.

I'm not really familiar with prelude, but I'll keep it in mind.

Tyler

>=20
> -Steve
>=20
>=20
> > > Based-on-work-by: William Preston <wpreston@suse.com>
> > > Signed-off-by: Tony Jones <tonyj@suse.de>
> > >=20
> > > --- a/src/ausearch-parse.c      2014-05-21 14:45:22.000000000 +0200
> > > +++ b/src/ausearch-parse.c      2014-05-21 14:53:55.000000000 +0200
> > > @@ -1735,17 +1735,15 @@ static int parse_avc(const lnode *n, sea
> > >=20
> > >         // Now get the class...its at the end, so we do things differ=
ent
> > >         str =3D strstr(term, "tclass=3D");
> > >=20
> > > -       if (str =3D=3D NULL) {
> > > -               rc =3D 9;
> > > -               goto err;
> > > +       if (str) {
> > > +               str +=3D 7;
> > > +               term =3D strchr(str, ' ');
> > > +               if (term)
> > > +                       *term =3D 0;
> > > +               an.avc_class =3D strdup(str);
> > > +               if (term)
> > > +                       *term =3D ' ';
> > >=20
> > >         }
> > >=20
> > > -       str +=3D 7;
> > > -       term =3D strchr(str, ' ');
> > > -       if (term)
> > > -               *term =3D 0;
> > > -       an.avc_class =3D strdup(str);
> > > -       if (term)
> > > -               *term =3D ' ';
> > >=20
> > >         if (audit_avc_init(s) =3D=3D 0) {
> > >        =20
> > >                 alist_append(s->avc, &an);
> > >=20
> > > --
> > > Linux-audit mailing list
> > > Linux-audit@redhat.com
> > > https://www.redhat.com/mailman/listinfo/linux-audit
>=20

--vkogqOf2sHV7VnPd
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJTh08pAAoJENaSAD2qAscKO04P/RVPBdSUkOJFR/kfoMFH2Oq8
kUxWOdqO6Id16JhqFmCPkq4pZaiVHHusXnPlVZhUd/ouuS+7YPhjVhMVjKVZDDZZ
EqY3Naa4LH8Ky4X4Re1zw/RrbA5kaHTBLSOHj77P3ifrTBYcSazQa6p7vEcK/I35
JNVrS+aK51zMjaMi2/ohxprPdaqPoWUV8BPZI5G5BN75qBt9jO86leP1jCLmLXFs
3WqT4FTmIEQRkG9nO8Zid0Cns7075ioX5hEdUvA3iukuA2Wo7UtMWM+K9yOsJ7yt
stHtTPEVFLQsBuev3FMjNN76jhdqOmR5bOh9Qn+qUhMjun+9RuorxM32UQP7AmWG
lI1OnzkHffYfxx351mVmRKOVT4yTnVDYor52f/y8EV8/n0kEGICAHYT/5P1M87WZ
5izAbPPQSTa85VbEaak238uR/R6cg1qAGrhaWe0IlNMNC2EbAt48xeR2lzRBr4LL
cWmLX8Y9rrgRtx3RLwU/pokwO45cztGxOzVaO3hh4jRl1aN33MJ2Rmz9XIPU4f4q
wLAny1JZ1eukllORPHYtvPZ5WVIsST9h1TT6TGPe2AvEvA/QrRL6L4ddxwthNjCZ
2+5JRjkFgz1n1MlXxcKH3zkJUI6VGI2kn8gzE3WayB4JcksWbY9Z0GEGw4IVHaHO
vo4RFKo7CKGaQbIO/v5E
=Ypn0
-----END PGP SIGNATURE-----

--vkogqOf2sHV7VnPd--


--===============8793210299493126834==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============8793210299493126834==--