[apparmor] [PATCH] Adjust notify group name

[Kees Cook]

On Wed, Apr 25, 2012 at 03:51:46PM -0700, Seth Arnold wrote:
> On Wed, Apr 25, 2012 at 12:11 PM, Kees Cook <kees at ubuntu.com> wrote:
> > But aa-notify runs as the user and read the log files directly... what
> > am I misunderstanding?
> 
> aa-notify gains and drops privileges repeatedly when running:

Nope. It _can_ do that, but it isn't installed setuid:

$ ps -ef | grep aa-notify
kees     14119     1  0 Apr10 ?        00:03:27 /usr/bin/perl /usr/bin/aa-notify -p -s 1 -w 60
$ grep '^[UG]id:' /proc/14119/status
Uid:    500     500     500     500
Gid:    500     500     500     500

> Of course, the audit daemon and tools more or less enforcing mode 700 on
> /var/log/audit and /var/log/audit/audit.log is a serious complicating
> factor for this tool -- I personally would rather see an audispd-derived
> daemon to send messages to dbus. (Not that I'm a huge fan of dbus, but it
> exists for very nearly this purpose.)

Yeah, this is somewhere on the TODO list...

-Kees

-- 
Kees Cook