garbage ptrace events
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned |
Bug Description
[19:14:48] <cboltz> hmm, that's what I get from testing if the ptrace rules in the netstat profile are really needed
[19:15:01] <cboltz> without them, I get (besides some other events)
[19:15:05] <cboltz> type=AVC msg=audit(
[19:15:18] <cboltz> and target="" crashes aa-logprof :-/
[19:16:10] <cboltz> now the question is: what is the expected rule from this event? Or should I simply ignore events with empty target?
[20:33:15] <jjohansen> cboltz: interesting, I am assuming plain suse kernel?
[20:33:29] <cboltz> yes
[20:33:42] <cboltz> 4.10.13
[20:35:21] <cboltz> I also have log events with non-empty targets, for example
[20:35:25] <cboltz> target=
[20:35:25] <cboltz> target=
[20:35:25] <cboltz> target=80AB
[20:36:21] <cboltz> all of them decode to "non-readable" binary strings
[20:37:00] <jjohansen> right, so that is definitely a kernel bug
[20:58:05] <cboltz> so -
[20:58:14] <cboltz> - do you want/need a bugreport?
[20:58:31] <cboltz> - what should I do in the tools? Ignore ptrace events with target="" ?
[21:00:23] <cboltz> BTW: the reproducer is quite easy: grep -v ptrace /etc/apparmor.
[21:02:06] <jjohansen> cboltz: yeah you are going to have to ignore/just warn that there are some garbage ptrace events
Versions: openSUSE Tumbleweed, Kernel 4.10.13, aa-* utils from current bzr trunk
Patch for the tools sent.
As a sidenote: It would probably be a good idea if libapparmor would recognize ptrace events with target="" as invalid ;-)