Ubuntu
linux package

network operations not getting reported on karmic

Bug #427948 reported by Marc Deslauriers
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Medium
John Johansen
Ubuntu ubuntu-9.10
Karmic
Fix Released
Medium
John Johansen
Ubuntu ubuntu-9.10

Bug Description

Binary package hint: apparmor

On karmic, with kernel 2.6.31-10.21: network operations are not getting reported.

How to test:

aa-genprof /bin/nc
nc -l 666

On jaunty:
Sep 11 11:26:14 sec-jaunty-amd64 kernel: [ 433.178487] type=1502 audit(1252682774.142:13): operation="socket_create" family="inet" sock_type="stream" protocol=6 pid=2722 profile="/bin/nc.traditional"
Sep 11 11:26:14 sec-jaunty-amd64 kernel: [ 433.178510] type=1502 audit(1252682774.142:14): operation="socket_post_create" family="inet" sock_type="stream" protocol=6 pid=2722 profile="/bin/nc.traditional"
Sep 11 11:26:14 sec-jaunty-amd64 kernel: [ 433.178543] type=1502 audit(1252682774.142:15): operation="socket_setsockopt" family="inet" sock_type="stream" protocol=6 pid=2722 profile="/bin/nc.traditional"
Sep 11 11:26:14 sec-jaunty-amd64 kernel: [ 433.178578] type=1502 audit(1252682774.142:16): operation="socket_listen" family="inet" sock_type="stream" protocol=6 pid=2722 profile="/bin/nc.traditional"
Sep 11 11:26:14 sec-jaunty-amd64 kernel: [ 433.178632] type=1502 audit(1252682774.142:17): operation="socket_accept" family="inet" sock_type="stream" protocol=6 pid=2722 profile="/bin/nc.traditional"

On Karmic, nothing shows up in the logs.

Marc Deslauriers (mdeslaur)
Changed in apparmor (Ubuntu):
assignee: nobody → John Johansen (jjohansen)
Kees Cook (kees)
Changed in apparmor (Ubuntu):
importance: Undecided → Low
status: New → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This breaks aa-genprof, so increasing priority.

Changed in apparmor (Ubuntu):
importance: Low → Medium
Kees Cook (kees)
Changed in apparmor (Ubuntu Karmic):
milestone: none → ubuntu-9.10
Revision history for this message
John Johansen (jjohansen) wrote :

Network auditing was clearing the error field after it was assigned, so that the audit code always saw the network operation as a success, and as such wouldn't audit it unless forced auditing was turned on.

I have place a test kernel at
kernel.ubuntu.com/~jj/linux-image-2.6.31-11-generic_2.6.31-11.38_amd64.deb

Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Download full text (3.6 KiB)

kernel.ubuntu.com/~jj/linux-image-2.6.31-11-generic_2.6.31-11.38_amd64 works for me.

I tested this with this profile initially:

$ cat /etc/apparmor.d/bin.nc.openbsd# Last Modified: Thu Oct 8 11:08:32 2009
#include <tunables/global>

/bin/nc.openbsd {
  #include <abstractions/base>

}

$ nc -l 10000
nc: Permission denied
[1]

and in /var/log/audit/audit.log:
type=APPARMOR_DENIED msg=audit(1255018273.352:37): operation="socket_create" pid=4468 parent=3435 profile="/bin/nc.openbsd" family="inet" sock_type="stream" protocol=6

Then I used aa-logprof:
$ sudo aa-logprof /bin/nc.openbsd
Reading log entries from /var/log/audit/audit.log.
Updating AppArmor profiles in /etc/apparmor.d.
Enforce-mode changes:

Profile: /bin/nc.openbsd
Network Family: inet
Socket Type: stream

 [1 - #include <abstractions/libvirt-qemu>]
  2 - #include <abstractions/libvirt-qemu.dpkg-dist>
  3 - #include <abstractions/nameservice>
  4 - network inet stream

(A)llow / [(D)eny] / Audi(t) / Abo(r)t / (F)inish

Profile: /bin/nc.openbsd
Network Family: inet
Socket Type: stream

  1 - #include <abstractions/libvirt-qemu>
  2 - #include <abstractions/libvirt-qemu.dpkg-dist>
  3 - #include <abstractions/nameservice>
 [4 - network inet stream]

(A)llow / [(D)eny] / Audi(t) / Abo(r)t / (F)inish
Adding network access inet stream to profile.

= Changed Local Profiles =

The following local profiles were changed. Would you like to save them?

 [1 - /bin/nc.openbsd]

(S)ave Changes / [(V)iew Changes] / Abo(r)t
Writing updated profile for /bin/nc.openbsd.

$ nc -l 10000
(it worked)

I then removed the profile and used aa-genprof:
$ sudo apparmor_parser -R /etc/apparmor.d/bin.nc.openbsd
$ sudo rm /etc/apparmor.d/bin.nc.openbsd
$ sudo aa-genprof nc
Writing updated profile for /bin/nc.openbsd.
Setting /bin/nc.openbsd to complain mode.

Please start the application to be profiled in
another window and exercise its functionality now.

Once completed, select the "Scan" button below in
order to scan the system logs for AppArmor events.

For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.

Profiling: /bin/nc.openbsd

[(S)can system log for SubDomain events] / (F)inish
Reading log entries from /var/log/audit/audit.log.
Updating AppArmor profiles in /etc/apparmor.d.
Complain-mode changes:

Profile: /bin/nc.openbsd
Network Family: inet
Socket Type: stream

 [1 - #include <abstractions/libvirt-qemu>]
  2 - #include <abstractions/libvirt-qemu.dpkg-dist>
  3 - #include <abstractions/nameservice>
  4 - network inet stream

[(A)llow] / (D)eny / Audi(t) / Abo(r)t / (F)inish

Profile: /bin/nc.openbsd
Network Family: inet
Socket Type: stream

  1 - #include <abstractions/libvirt-qemu>
  2 - #include <abstractions/libvirt-qemu.dpkg-dist>
  3 - #include <abstractions/nameservice>
 [4 - network inet stream]

[(A)llow] / (D)eny / Audi(t) / Abo(r)t / (F)inish
Adding network access inet stream to profile.

= Changed Local Profiles =

The following local profiles were changed. Would you like to save them?

 [1 - /bin/nc.openbsd]

(S)ave Changes / [(V)iew Changes] / Abo(r)t
Writing u...

Read more...

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

kernel.ubuntu.com/~jj/linux-image-2.6.31-11-generic_2.6.31-11.38_amd64 appears to fix this for me also.

Revision history for this message
Tim Gardner (timg-tpi) wrote :

http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-karmic.git;a=commit;h=056654b17aff414db24d641df71ad4c3e2fa0d8e

Changed in apparmor (Ubuntu Karmic):
status: Confirmed → Fix Committed
Kees Cook (kees)
affects: apparmor (Ubuntu Karmic) → linux (Ubuntu Karmic)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.31-13.43

---------------
linux (2.6.31-13.43) karmic; urgency=low

  [ Andy Whitcroft ]

  * Revert "[Upstream] acerhdf: Limit modalias matching to supported
    boards"

  [ Colin Watson ]

  * Use section 'admin' rather than 'base'

  [ John Johansen ]

  * SAUCE: AppArmor: Set error code after structure initialization.
    - LP: #427948
  * SAUCE: AppArmor: Fix off by 2 error in getprocattr mem allocation
    - LP: #446595

  [ Luke Yelavich ]

  * SAUCE: Add sr_mod to the scsi-modules udeb for powerpc

  [ Stefan Bader ]

  * [Upstream] acerhdf: Limit modalias matching to supported boards
    (supersedes previous revert made by Andy Whitcroft)
    - LP: #435958

 -- Tim Gardner <email address hidden> Fri, 09 Oct 2009 10:08:16 -0600

Changed in linux (Ubuntu Karmic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.