[pkg-apparmor] Bug#826218: Bug#826218: Bug#826218: Complain still interferes

Mon Jun 6 01:51:18 UTC 2016

On 06/05/2016 04:14 PM, Christian Boltz wrote:
> Hello,
> 
> Am Sonntag, 5. Juni 2016, 13:34:19 CEST schrieb Guido Günther:
>> On Sat, Jun 04, 2016 at 06:38:46PM +0200, Christian Boltz wrote:
>>> deny rules are enforced even if you switch the profile to complain
>>> mode, and don't leave any log events behind. You might want to
>>> change them to"audit deny" temporarily to get log events (with
>>> AUDIT).
>>
>> I did not know. Thanks! IMHO this needs to be mentioned in the
>> aa-complain manpage to fulfill the "no PhD in computer science needed
>> for" promise.
> 
> Good point. I just commited an updated manpage upstream (will be in 
> 2.11, 2.10.2 and 2.9.4 whenever they get released).
> 
>> The issue turned out to be environment scrubbing:
>>    
>> https://www.redhat.com/archives/libvir-list/2016-June/msg00117.html
>>
>> but I think the issue is still valid: getting an idea what gets
>> dropped to the floor is too hard atm. With complain mode I'd exepct:
>>
>>     * denials logged by default
> 
> The whole point of deny rules is to silence the logging  (except if they 
> also have the audit keyword).
> 
> You can enable the logging by adding the audit keyword, but the general 
> rule is not to log anything that is already handled (allowed or denied) 
> in the profile.

I will add that new versions of apparmor will be picking up a new mode
that will not apply quieting for known denials.

> 
>>     * a way to audit calls to subprocesses indicating whether the
>>       environment was scrubbed or not
> 
> You'll get this information by reading the profile ;-)   It already had 
> "/usr/sbin/* PUx" [1] which also allowed /usr/sbin/virtlogd - but with 
> environment scrubbing.
> 
> I'm CC'ing another upstream developer, but I wouldn't be surprised if he 
> tells you the same ;-)
> 
So the logging of scrubbing is not where I would like at the moment. We do
have work planned around improving environment variable handling so this
hasn't been touched yet.

With that said if you turn of debug mode apparmor will log a few extra
messages to dmesg (not via the audit subsystem). This will let you see
when environment scrubbing has been applied.

  echo 1 > /sys/module/apparmor/parameters/debug

Also not this isn't going to give you a flood of extra messages its just
for a few things like, env scrubbing, clearing unsafe personality bits,
no new privs etc.

> @John: Do you have a different opinion on Guido's points?
> 

yeah we should be logging extra info. As for complain mode we aren't
changing its behavior but their will be a new mode that is closer to
what I think he wants.

Also it is possible to turn off deny audit quieting by doing

echo -n noquiet >/sys/module/apparmor/parameters/audit

sadly this is global, not per profile

>>     * other stuff I might not even know about yet like DBus denials …
> 
DBus denials are weird in that they are handled by an apparmor extension
inside of the user space daemon which will use the audit subsystem if it
can (system bus + audit subsystem is set up) but will fallback to regular
syslog if it can't.

So session bus and system bus can end up in different logs, and there
are a few other oddities. There is some work that could be done to improve
it but right now priorities are else where, and there is a hesitancy
to put a lot more effort into it until the whole kdbus thing is more
clear.

> Actually I can't tell you too much about DBus because only the Ubuntu 
> kernel has DBus support for AppArmor (it's not upstreamed yet), and I'm 
> using openSUSE ;-)
> 
right, sorry I still mean to get you experimental kernels in the build
service. I have just been side tracked.