AppArmor

aa-logprof attaches events to wrong profile on pid reuse

Bug #1791800 reported by Christian Boltz
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
AppArmor
New
Undecided
Unassigned

Bug Description

(reported by NickJr on IRC)

Mar 28 09:00:01 hostname kernel: [712243.093475] audit: type=1400 audit(1523955601.819:403): apparmor="DENIED" operation="open" profile="/usr/bin/php7.0" name="/var/www/html/nextcloud/data/nextcloud.log" pid=29929 comm="php" requested_mask="ac" denied_mask="ac" fsuid=33 ouid=33

Apr 17 11:31:17 hostname kernel: [646966.179533] audit: type=1400 audit(1522236677.800:61906): apparmor="ALLOWED" operation="exec" profile="/usr/sbin/postfix//null-2" name="/usr/lib/postfix/sbin/pickup" pid=29929 comm="master" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

This will cause aa-logprof to ask if the php7.0 profile (!) should be allowed to exec postfix/pickup (verified in lastest git code as of today). The reason is that both events have the same pid, which got reused after some weeks.

-> The log parsing should look at the profile name, not at the pid.

(Needless to say that this is not an easy change ;-) so doing it will probably need time.)

Tags: aa-tools
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.