Re: [PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log

From: Tyler Hicks <tyhicks@canonical.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: wpreston@suse.com, seth.arnold@canonical.com, linux-audit@redhat.com
Subject: Re: [PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log
Date: Fri, 30 May 2014 22:16:44 +0200	[thread overview]
Message-ID: <20140530201644.GA22335@boyd> (raw)
In-Reply-To: <31153503.SQnCbJNRtA@x2>

[-- Attachment #1.1: Type: text/plain, Size: 2868 bytes --]

On 2014-05-30 15:53:49, Steve Grubb wrote:
> On Wednesday, May 28, 2014 03:33:06 PM Tony Jones wrote:
> > This patch came from our L3 department.  AppArmor LSM is logging using the
> > common_lsm_audit() call but the audit userspace parsing code expects to see
> > an SELinux tclass field. This patch doesn't address the lack of support for
> > AppArmor in "aureport --avc".  Talking to Seth Arnold, Canonical apparently
> > has patches for this; if this is true perhaps they can post for inclusion.
> > 
> > Based-on-work-by: William Preston <wpreston@suse.com>
> > Signed-off-by: Tony Jones <tonyj@suse.de>
> 
> I was looking at this patch and was wondering something. Does AppArmor produce 
> AUDIT_AVC events?

It does. Here's an odd ball that I picked out of my audit log:

type=AVC msg=audit(1400295012.391:11143): apparmor="DENIED" operation="mount" info="failed type match" profile="lxc-container-default" name="/sys/fs/cgroup/systemd/" pid=15761 comm="mount" fstype="cgroup" srcname="systemd" flags="rw, nosuid, nodev, noexec"

> If not, how does the code even get into parse_avc? IOW, is 
> there another part of the patch missing in the switch statement that direct 
> AUDIT_APPARMOR_*  events into parse_avc?

As you can see above, they already flow through parse_avc().

I spent a little time today getting a patch together to parse the
'apparmor="DENIED" operation="mount"' portion parsed to fill
an.avc_result and an.avc_perm.

It worked well with ausearch and aureport during some quick manual
testing. I'd like to do some more testing next week and, hopefully, add
some automated tests before I send it to the list.

Tyler

> 
> -Steve
> 
> > --- a/src/ausearch-parse.c      2014-05-21 14:45:22.000000000 +0200
> > +++ b/src/ausearch-parse.c      2014-05-21 14:53:55.000000000 +0200
> > @@ -1735,17 +1735,15 @@ static int parse_avc(const lnode *n, sea
> > 
> >         // Now get the class...its at the end, so we do things different
> >         str = strstr(term, "tclass=");
> > -       if (str == NULL) {
> > -               rc = 9;
> > -               goto err;
> > +       if (str) {
> > +               str += 7;
> > +               term = strchr(str, ' ');
> > +               if (term)
> > +                       *term = 0;
> > +               an.avc_class = strdup(str);
> > +               if (term)
> > +                       *term = ' ';
> >         }
> > -       str += 7;
> > -       term = strchr(str, ' ');
> > -       if (term)
> > -               *term = 0;
> > -       an.avc_class = strdup(str);
> > -       if (term)
> > -               *term = ' ';
> > 
> >         if (audit_avc_init(s) == 0) {
> >                 alist_append(s->avc, &an);
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]