Ubuntu
linux-mako package

AUDIT_USER_AVC messages are not printk'ed when auditd is not running

Bug #1473584 reported by Tyler Hicks
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux-flo (Ubuntu)
Fix Released
Medium
Tyler Hicks
Vivid
Fix Released
Undecided
Unassigned
linux-goldfish (Ubuntu)
Fix Released
Undecided
Unassigned
Vivid
Fix Released
Undecided
Unassigned
linux-mako (Ubuntu)
Fix Released
Medium
Tyler Hicks
Vivid
Fix Released
Undecided
Unassigned
linux-manta (Ubuntu)
Fix Released
Medium
Tyler Hicks
Vivid
Fix Released
Undecided
Unassigned

Bug Description

The auditd daemon is not part of the default phone images. At the kernel level, the audit_enabled variable remains 0 until an auditd daemon registers itself. There is a bug in old kernels that causes AUDIT_USER_AVC messages to be ignored when audit_enabled is 0. I fixed the bug several years ago and marked the patch for the stable tree but the phone kernels (mako, at least) did not pull in the patch. The upstream commit id is:

  0868a5e150bc4c47e7a003367cd755811eb41e0b

What this means for our phone images is that any denial messages from the system D-Bus daemon are dropped instead of being properly routed to the syslog. This results in headaches for debugging app confinement denials.

== Verification Steps ==

# Load an AppArmor profile for testing
$ echo "profile test { file, signal, unix, }" | sudo apparmor_parser -rq

# Verify that we can talk to the system bus
$ dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames
method return sender=org.freedesktop.DBus -> dest=:1.90 reply_serial=2
   array [
      string "org.freedesktop.DBus"
   ...

# Clear the dmesg buffer
$ sudo dmesg -C

# Attempt to talk to the system bus under confinement
$ aa-exec -p test -- dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames
Failed to open connection to "system" message bus: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)

# We should now see an AppArmor denial in the dmesg output.
# Successful fix verification *must* show the denial from the D-Bus daemon.
$ sudo dmesg | grep DENIED
[ 187.737219] type=1107 audit(1438385684.065:149): pid=826 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=6721 label="test" peer_label="unconfined"

See original description
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Sent to the kernel team:

  https://lists.ubuntu.com/archives/kernel-team/2015-July/059707.html

Changed in linux-flo (Ubuntu):
status: New → In Progress
importance: Undecided → Medium
Changed in linux-manta (Ubuntu):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Tyler Hicks (tyhicks)
Changed in linux-flo (Ubuntu):
assignee: nobody → Tyler Hicks (tyhicks)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-manta - 3.4.0-7.32

---------------
linux-manta (3.4.0-7.32) wily; urgency=low

  [ Upstream Kernel Changes ]

  * audit: printk USER_AVC messages when audit isn't enabled
    - LP: #1473584

 -- Tim Gardner <email address hidden> Mon, 13 Jul 2015 14:49:51 -0700

Changed in linux-manta (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-flo - 3.4.0-4.18

---------------
linux-flo (3.4.0-4.18) wily; urgency=low

  [ Upstream Kernel Changes ]

  * audit: printk USER_AVC messages when audit isn't enabled
    - LP: #1473584

 -- Tim Gardner <email address hidden> Mon, 13 Jul 2015 14:39:54 -0700

Changed in linux-flo (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-mako - 3.4.0-6.37

---------------
linux-mako (3.4.0-6.37) wily; urgency=low

  [ Upstream Kernel Changes ]

  * audit: printk USER_AVC messages when audit isn't enabled
    - LP: #1473584

 -- Tim Gardner <email address hidden> Mon, 13 Jul 2015 14:53:48 -0700

Changed in linux-mako (Ubuntu):
status: In Progress → Fix Released
Adam Conrad (adconrad)
Changed in linux-goldfish (Ubuntu):
status: New → Fix Released
Revision history for this message
Adam Conrad (adconrad) wrote :

The following backports to vivid have been accepted in vivid-proposed, please verify them:

[ubuntu/vivid-proposed] linux-mako 3.4.0-6.37~15.04.1 (Accepted)
[ubuntu/vivid-proposed] linux-manta 3.4.0-7.32~15.04.1 (Accepted)
[ubuntu/vivid-proposed] linux-flo 3.4.0-4.18~15.04.1 (Accepted)
[ubuntu/vivid-proposed] linux-goldfish 3.4.0-4.24~15.04.1 (Accepted)

tags: added: verification-needed
Changed in linux-flo (Ubuntu Vivid):
status: New → Fix Committed
Changed in linux-goldfish (Ubuntu Vivid):
status: New → Fix Committed
Changed in linux-mako (Ubuntu Vivid):
status: New → Fix Committed
Changed in linux-manta (Ubuntu Vivid):
status: New → Fix Committed
Tyler Hicks (tyhicks)
description: updated
Tyler Hicks (tyhicks)
description: updated
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Verified on a mako device.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Verified in a goldfish vm.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-flo - 3.4.0-4.18~15.04.1

---------------
linux-flo (3.4.0-4.18~15.04.1) vivid; urgency=low

  [ Upstream Kernel Changes ]

  * audit: printk USER_AVC messages when audit isn't enabled
    - LP: #1473584

 -- Tim Gardner <email address hidden> Mon, 13 Jul 2015 14:39:54 -0700

Changed in linux-flo (Ubuntu Vivid):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-manta - 3.4.0-7.32~15.04.1

---------------
linux-manta (3.4.0-7.32~15.04.1) vivid; urgency=low

  [ Upstream Kernel Changes ]

  * audit: printk USER_AVC messages when audit isn't enabled
    - LP: #1473584

 -- Tim Gardner <email address hidden> Mon, 13 Jul 2015 14:49:51 -0700

Changed in linux-manta (Ubuntu Vivid):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-mako - 3.4.0-6.37~15.04.1

---------------
linux-mako (3.4.0-6.37~15.04.1) vivid; urgency=low

  [ Upstream Kernel Changes ]

  * audit: printk USER_AVC messages when audit isn't enabled
    - LP: #1473584

 -- Tim Gardner <email address hidden> Mon, 13 Jul 2015 14:53:48 -0700

Changed in linux-mako (Ubuntu Vivid):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-goldfish - 3.4.0-4.24~15.04.1

---------------
linux-goldfish (3.4.0-4.24~15.04.1) vivid; urgency=low

  [ Upstream Kernel Changes ]

  * audit: printk USER_AVC messages when audit isn't enabled
    - LP: #1473584

 -- Tim Gardner <email address hidden> Mon, 13 Jul 2015 14:57:44 -0700

Changed in linux-goldfish (Ubuntu Vivid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.