[apparmor] AVC type malformed

Fri Feb 9 18:53:07 UTC 2024

When apparmor logs events with audit type AVC, the logs cannot be found by usual audit tools because the entry is malformed as stated in this auditd bugreport
https://github.com/linux-audit/audit-userspace/issues/351#issuecomment-1932211875

To quite the maintainer:

> If they are going to emit an access decision as an AVC, it has to exactly follow the format of an SE Linux AVC. The AppArmor kernel developers were given the AUDIT type block from 1500 to 1599 a long time ago so that they can format their events any way they wish. The AVC they are using is type number 1400. They should really define AUDIT_AA_DECISION 1500 (or whatever makes sense to AppArmor) and then use that.

It took me a few days to figure this one out and that didn't make apparmor easier to debug. If there is anything in regards to testing I can help with to solve this bug, please let me know.