[apparmor] Pesky '=' in subj= of audit in mainline
Casey Schaufler
casey at schaufler-ca.com
Tue Dec 14 00:58:52 UTC 2021
On 12/13/2021 4:28 PM, John Johansen wrote:
> On 12/13/21 9:48 AM, Casey Schaufler wrote:
>> The Ubuntu kernel has "subj=unconfined" in its audit records.
>> The Linus v5.16-rc4 kernel has "subj==unconfined".
>>
>> I see in the upstream where the extra "=" comes from, but I
> I assume this is from
>
> label.c:
> 1634: if (flags & FLAG_ABS_ROOT) {
> 1635: ns = root_ns;
> 1636: len = snprintf(str, size, "=");
> 1637: update_for_len(total, len, size, str);
> 1638: } else if (!ns) {
>
> Its is called when secids are being used without context.
>
> this was an unfortunate choice made long ago. It is something
> I have looked at removing, and if this is rearing its head
> with upstream kernels we will have to fix it asap.
I see it on an Ubuntu system with 5.16-rc4.
type=USER_LOGIN msg=audit(1639443365.233:160): pid=1633 uid=0 auid=1000
ses=3 subj==unconfined msg='op=login id=1000 exe="/usr/sbin/sshd"
hostname=192.168.122.1 addr=192.168.122.1 terminal=/dev/pts/1 res=success'
>
>> don't see how to get to that code. I have not looked into the
>> patches Ubuntu is using, but there must be something.
>>
> You won't find the code that calls this for some Ubuntu kernels
> because secid auditing was reverted so the LSM stacking patches
> could be used with extended network mediation (af_unix) could be
> used without issues.
>
> This is something that needs to be fixed as well.
More information about the AppArmor
mailing list