Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: AppArmor enforce program without logging

  1. #11
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: AppArmor enforce program without logging

    Quote Originally Posted by BkkBonanza View Post
    Good idea. I added it in launchpad. I couldn't find a place for feature requests so I marked it as feature request and submitted it in bugs section. Maybe some day we'll have the option "per profile logging".

    PS. I've already got 4.3MB in the apparmor log in 2 days...
    I agree. Apparmor makes too much noise in the logs.

    I think the strategy is to allow everything that is "normal" and thus make the logs as quiet as possible, but logs are still too noisy to be useful.

    Perhaps a log level, similar to iptables, or a limit.

    Do you have a link to your launchpad feature request ? I will add those two suggestions.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  2. #12
    Join Date
    Apr 2008
    Location
    Far, far away
    Beans
    2,148
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor enforce program without logging

    Here is the link.
    https://bugs.launchpad.net/apparmor/+bug/770671

    Someone posted a comment that confuses me more about how rules affect logging. I thought my log messages were from denied activity but he suggests logging only occurs when "audit" is added to a deny rule. I don't know as I don't have "audit" anywhere in my rules but I get a lot of log messages that are tagged with "audit".

  3. #13
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: AppArmor enforce program without logging

    Quote Originally Posted by BkkBonanza View Post
    Here is the link.
    https://bugs.launchpad.net/apparmor/+bug/770671

    Someone posted a comment that confuses me more about how rules affect logging. I thought my log messages were from denied activity but he suggests logging only occurs when "audit" is added to a deny rule. I don't know as I don't have "audit" anywhere in my rules but I get a lot of log messages that are tagged with "audit".
    From the apparmor.d man page:
    deny Specifies that permissions requests that match the rule should be denied without logging. Can be combined with 'audit' to enable logging.
    So adding a specific "deny" rule for the error in question should make apparmor stop logging it. You can also see this in action by looking at the included Firefox profile. It has a section that looks like this:

    Code:
    # noisy
      deny /usr/lib/firefox-4.0/** w,
      deny /usr/lib/firefox-addons/** w,
      deny /usr/lib/xulrunner-addons/** w,
      deny /usr/lib/xulrunner-*/components/*.tmp w,
      deny /.suspended r,
      deny /boot/initrd.img* r,
      deny /boot/vmlinuz* r,
      deny /var/cache/fontconfig/ w,
      deny @{HOME}/.local/share/recently-used.xbel r,
    I presume "noisy" means these are errors that can be denied without any functionality issues and thus the author doesn't want them to be logged.

    If you have specifically "denied" the errors in question in your profile and it still logs, you might have a legit bug report.
    Occam's Razor for computers: Viruses must never be postulated without necessity -- nevius

    My Blog

  4. #14
    Join Date
    Apr 2008
    Location
    Far, far away
    Beans
    2,148
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor enforce program without logging

    Perhaps I do. The log messages look like this, though they do vary sometimes.

    Apr 27 04:23:48 localhost kernel: [231845.192108] type=1400 audit(1303853028.402:23373): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/skype" name="/proc/1389/task/" pid=1390 comm="skype" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

    And doing a search of "audit" in my skype profile shows that the word isn't anywhere in the file. I didn't check the standard includes.

  5. #15
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: AppArmor enforce program without logging

    I usually allow read only access to that kind of thing, to quiet the logs.

    /proc/*/task/* r,
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  6. #16
    Join Date
    Sep 2010
    Beans
    898

    Re: AppArmor enforce program without logging

    I've redirected apparmor messages to /var/log/apparmor.log, as described above. (But I used the search string "audit(", since "apparmor" isn't present in my messages.)

    I've also installed apparmor-notify to get popup notifications of denials. Since /usr/bin/apparmor_notify looks in /var/log/kern.log for the messages, I had to make the following change:

    Code:
    Edited /etc/X11/Xsession.d/90apparmor-notify and changed:
        /usr/bin/apparmor_notify -p -s 1 -w 60
    to:
        /usr/bin/apparmor_notify -p -s 1 -w 60 -f /var/log/apparmor.log
    Maybe all this stuff should be placed in a wiki.

Page 2 of 2 FirstFirst 12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •