[apparmor] Pesky '=' in subj= of audit in mainline
John Johansen
john.johansen at canonical.com
Tue Dec 14 02:55:23 UTC 2021
On 12/13/21 4:58 PM, Casey Schaufler wrote:
> On 12/13/2021 4:28 PM, John Johansen wrote:
>> On 12/13/21 9:48 AM, Casey Schaufler wrote:
>>> The Ubuntu kernel has "subj=unconfined" in its audit records.
>>> The Linus v5.16-rc4 kernel has "subj==unconfined".
>>>
>>> I see in the upstream where the extra "=" comes from, but I
>> I assume this is from
>>
>> label.c:
>> 1634: if (flags & FLAG_ABS_ROOT) {
>> 1635: ns = root_ns;
>> 1636: len = snprintf(str, size, "=");
>> 1637: update_for_len(total, len, size, str);
>> 1638: } else if (!ns) {
>>
>> Its is called when secids are being used without context.
>>
>> this was an unfortunate choice made long ago. It is something
>> I have looked at removing, and if this is rearing its head
>> with upstream kernels we will have to fix it asap.
>
> I see it on an Ubuntu system with 5.16-rc4.
>
> type=USER_LOGIN msg=audit(1639443365.233:160): pid=1633 uid=0 auid=1000
> ses=3 subj==unconfined msg='op=login id=1000 exe="/usr/sbin/sshd"
> hostname=192.168.122.1 addr=192.168.122.1 terminal=/dev/pts/1 res=success'
>
yeah the newer Ubuntu kernels should hit. I will see what I can do
>
>>
>>> don't see how to get to that code. I have not looked into the
>>> patches Ubuntu is using, but there must be something.
>>>
>> You won't find the code that calls this for some Ubuntu kernels
>> because secid auditing was reverted so the LSM stacking patches
>> could be used with extended network mediation (af_unix) could be
>> used without issues.
>>
>> This is something that needs to be fixed as well.
More information about the AppArmor
mailing list