[pkg-apparmor] Bug#826218: Bug#826218: Complain still interferes

Guido Günther agx at sigxcpu.org
Sun Jun 5 11:34:19 UTC 2016 

Hi Christian,

On Sat, Jun 04, 2016 at 06:38:46PM +0200, Christian Boltz wrote:
> Hello,
> 
> Am Samstag, 4. Juni 2016, 15:04:04 CEST schrieb Guido Günther:
> > Well, there are no DENIED messages - that's the puzzling part and the
> > reason for this bug. The should be a all also contain "audit" and end
> > up in dmesg so my grep expression should have caught them
> 
> Does the profile contain any   deny   rules?
> If unsure, run
>     apparmor_parser -pq /etc/apparmor.d/the.profile.to.check | grep deny
> (this will print out the profile with all includes merged in)

  $ apparmor_parser -pq /etc/apparmor.d/usr.sbin.libvirtd  | grep -i deny
  #   deny ptrace (readby) ...
  #   deny ptrace (tracedby) ...
  audit deny /sbin/apparmor_parser rwxl,
  audit deny /etc/apparmor.d/libvirt/** wxl,
  audit deny /sys/kernel/security/apparmor/features rwxl,
  audit deny /sys/kernel/security/apparmor/matching rwxl,
  audit deny /sys/kernel/security/apparmor/.* rwxl,

> deny rules are enforced even if you switch the profile to complain mode, 
> and don't leave any log events behind. You might want to change them 
> to"audit deny" temporarily to get log events (with AUDIT).

I did not know. Thanks! IMHO this needs to be mentioned in the
aa-complain manpage to fulfill the "no PhD in computer science needed
for" promise.

> BTW: If you switch the profile to complain mode, the messages will 
> contain ALLOWED instead of DENIED.

The issue turned out to be environment scrubbing:

    https://www.redhat.com/archives/libvir-list/2016-June/msg00117.html

but I think the issue is still valid: getting an idea what gets dropped
to the floor is too hard atm. With complain mode I'd exepct:

    * denials logged by default
    * a way to audit calls to subprocesses indicating whether the
      environment was scrubbed or not
    * other stuff I might not even know about yet like DBus denials …

Otherwise it will be hard to scale out to Debian developers enabling
(and fixing) profiles for their packages and that's IMHO the only way
to get apparmor coverage.

Cheers,
 -- Guido

> --
> [AppArmor] Unlike SELinux, it does not require a PhD in computer
> security to get it working... [Peter Czanik in opensuse-factory]

…what about keepping it working?

More information about the pkg-apparmor-team mailing list