[apparmor] tomcat 8
Me Self
wmsopou at gmail.com
Thu Mar 31 07:40:14 UTC 2016
The null profiles shown in the ouput from aa-status seem to originate from
bugs in the perl code. I managed to create a policy by profiling Java
directly. The tomcat valve however complains that it cannot change hat.
Doesnt look like anyone is using this changehat.
[(S)can system log for AppArmor events] / (F)inish
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Use of uninitialized value in split at /usr/share/perl5/Immunix/AppArmor.pm
line 2811, <$LOG> line 2199414.
Use of uninitialized value $profile in string ne at
/usr/share/perl5/Immunix/AppArmor.pm line 2819, <$LOG> line 2199414.
Use of uninitialized value in split at /usr/share/perl5/Immunix/AppArmor.pm
line 2811, <$LOG> line 2199416.
Use of uninitialized value $profile in string ne at
/usr/share/perl5/Immunix/AppArmor.pm line 2819, <$LOG> line 2199416.
Use of uninitialized value in split at /usr/share/perl5/Immunix/AppArmor.pm
line 2811, <$LOG> line 2199418.
Use of uninitialized value $profile in string ne at
/usr/share/perl5/Immunix/AppArmor.pm line 2819, <$LOG> line 2199418.
Use of uninitialized value in split at /usr/share/perl5/Immunix/AppArmor.pm
line 2811, <$LOG> line 2199420.
Use of uninitialized value $profile in string ne at
/usr/share/perl5/Immunix/AppArmor.pm line 2819, <$LOG> line 2199420.
Use of uninitialized value in split at /usr/share/perl5/Immunix/AppArmor.pm
line 2811, <$LOG> line 2199422.
Use of uninitialized value $profile in string ne at
/usr/share/perl5/Immunix/AppArmor.pm line 2819, <$LOG> line 2199422.
Use of uninitialized value in split at /usr/share/perl5/Immunix/AppArmor.pm
line 2811, <$LOG> line 2199424.
Use of uninitialized value $profile in string ne at
/usr/share/perl5/Immunix/AppArmor.pm line 2819, <$LOG> line 2199424.
Use of uninitialized value in split at /usr/share/perl5/Immunix/AppArmor.pm
line 2811, <$LOG> line 2199426.
Use of uninitialized value $profile in string ne at
/usr/share/perl5/Immunix/AppArmor.pm line 2819, <$LOG> line 2199426.
Use of uninitialized value in split at /usr/share/perl5/Immunix/AppArmor.pm
line 2811, <$LOG> line 2199428.
Use of uninitialized value $profile in string ne at
/usr/share/perl5/Immunix/AppArmor.pm line 2819, <$LOG> line 2199428.
Use of uninitialized value in split at /usr/share/perl5/Immunix/AppArmor.pm
line 2811, <$LOG> line 2199430.
Use of uninitialized value $profile in string ne at
/usr/share/perl5/Immunix/AppArmor.pm line 2819, <$LOG> line 2199430.
On Wed, Mar 30, 2016 at 11:01 PM, Me Self <wmsopou at gmail.com> wrote:
> And btw I tried adding a java profile first but i still get the null
> profiles.
>
> On Wed, Mar 30, 2016 at 11:00 PM, Me Self <wmsopou at gmail.com> wrote:
>
>> Sometimes when I scan the log file I get some perl script errors, see
>> below. The number of profiles with null in their names, as seen from the
>> output of aa-status, seem to correlate with the scan errors.
>>
>> [(S)can system log for AppArmor events] / (F)inish
>> Reading log entries from /var/log/syslog.
>> Updating AppArmor profiles in /etc/apparmor.d.
>> Use of uninitialized value in split at
>> /usr/share/perl5/Immunix/AppArmor.pm line 2811, <$LOG> line 2199414.
>> Use of uninitialized value $profile in string ne at
>> /usr/share/perl5/Immunix/AppArmor.pm line 2819, <$LOG> line 2199414.
>> Use of uninitialized value in split at
>> /usr/share/perl5/Immunix/AppArmor.pm line 2811, <$LOG> line 2199416.
>> Use of uninitialized value $profile in string ne at
>> /usr/share/perl5/Immunix/AppArmor.pm line 2819, <$LOG> line 2199416.
>> Use of uninitialized value in split at
>> /usr/share/perl5/Immunix/AppArmor.pm line 2811, <$LOG> line 2199418.
>> Use of uninitialized value $profile in string ne at
>> /usr/share/perl5/Immunix/AppArmor.pm line 2819, <$LOG> line 2199418.
>> Use of uninitialized value in split at
>> /usr/share/perl5/Immunix/AppArmor.pm line 2811, <$LOG> line 2199420.
>> Use of uninitialized value $profile in string ne at
>> /usr/share/perl5/Immunix/AppArmor.pm line 2819, <$LOG> line 2199420.
>> Use of uninitialized value in split at
>> /usr/share/perl5/Immunix/AppArmor.pm line 2811, <$LOG> line 2199422.
>> Use of uninitialized value $profile in string ne at
>> /usr/share/perl5/Immunix/AppArmor.pm line 2819, <$LOG> line 2199422.
>> Use of uninitialized value in split at
>> /usr/share/perl5/Immunix/AppArmor.pm line 2811, <$LOG> line 2199424.
>> Use of uninitialized value $profile in string ne at
>> /usr/share/perl5/Immunix/AppArmor.pm line 2819, <$LOG> line 2199424.
>> Use of uninitialized value in split at
>> /usr/share/perl5/Immunix/AppArmor.pm line 2811, <$LOG> line 2199426.
>> Use of uninitialized value $profile in string ne at
>> /usr/share/perl5/Immunix/AppArmor.pm line 2819, <$LOG> line 2199426.
>> Use of uninitialized value in split at
>> /usr/share/perl5/Immunix/AppArmor.pm line 2811, <$LOG> line 2199428.
>> Use of uninitialized value $profile in string ne at
>> /usr/share/perl5/Immunix/AppArmor.pm line 2819, <$LOG> line 2199428.
>> Use of uninitialized value in split at
>> /usr/share/perl5/Immunix/AppArmor.pm line 2811, <$LOG> line 2199430.
>> Use of uninitialized value $profile in string ne at
>> /usr/share/perl5/Immunix/AppArmor.pm line 2819, <$LOG> line 2199430.
>>
>>
>> On Wed, Mar 30, 2016 at 2:52 PM, Christian Boltz <apparmor at cboltz.de>
>> wrote:
>>
>>> Hello,
>>>
>>> Am Mittwoch, 30. März 2016, 14:23:58 CEST schrieb Me Self:
>>> > Im trying to profile tomcat 8 but the profile contains less rules than
>>> > I would expect.
>>> >
>>> > This is what I do:
>>> >
>>> > sudo aa-genprof /usr/local/apache-tomcat-8.0.32/bin/catalina.sh
>>> >
>>> > Then start tomcat, load a page, stop tomcat.
>>>
>>> I'd skip the "load a page" part on the first run to produce less
>>> audit.log entries, and do a second run with loading a page.
>>>
>>> > These rules seem to related to the script itself and not the JVM it's
>>> > spawning. I also tried running aa-complain but it didnt add anything
>>> > new to the profile.
>>> >
>>> > The syslog I see messages such as this (the webapp is ROOT.war). What
>>> > does the /null-50 is the profile attr mean?
>>> >
>>> > [174402.483458] type=1400 audit(1459339942.803:1134393):
>>> > apparmor="ALLOWED" operation="getattr"
>>> > profile="/usr/local/apache-tomcat-8.0.32/bin/ catalina.sh//null-50"
>>> > name="/usr/local/apache-tomcat-8.0.32/webapps/ROOT.war" pid=14365
>>> > comm="java" requested_mask="r" denied_mask="r" fsuid=1001 ouid=1001
>>>
>>> The null-* means that something was executed (see comm="java") which
>>> doesn't have execute permissions in the profile yet.
>>>
>>> I'd guess you produced "too many" log events, and the audit.log was
>>> rotated away before you were able to run aa-logprof on it.
>>>
>>> You can use aa-logprof -f /var/log/audit/audit.log.1 to read the
>>> last rotated-away logfile. Maybe it was rotated multiple times - the
>>> timestamp of the older logs should tell.
>>>
>>>
>>> Regards,
>>>
>>> Christian Boltz
>>> --
>>> > So AJ, shall we online update the fix for your blog? :-)
>>> I wouldn't just update for my blog - but it's Robert's as well ;-)
>>> [> Stephan Binner and Andreas Jäger in
>>> https://bugzilla.novell.com/show_bug.cgi?id=209387]
>>>
>>> --
>>> AppArmor mailing list
>>> AppArmor at lists.ubuntu.com
>>> Modify settings or unsubscribe at:
>>> https://lists.ubuntu.com/mailman/listinfo/apparmor
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160331/c40e42b9/attachment.html>
More information about the AppArmor
mailing list