[apparmor] AVC type malformed

Fri Feb 9 21:01:46 UTC 2024

On 2/9/24 10:53, cati55 wrote:
> When apparmor logs events with audit type AVC, the logs cannot be found by usual audit tools because the entry is malformed as stated in this auditd bugreport
> https://github.com/linux-audit/audit-userspace/issues/351#issuecomment-1932211875
> 
> To quite the maintainer:
> 
>> If they are going to emit an access decision as an AVC, it has to exactly follow the format of an SE Linux AVC. The AppArmor kernel developers were given the AUDIT type block from 1500 to 1599 a long time ago so that they can format their events any way they wish. The AVC they are using is type number 1400. They should really define AUDIT_AA_DECISION 1500 (or whatever makes sense to AppArmor) and then use that.
> 
The problem is, and this has been brought up before, apparmor used to use 1500. It was the id assigned to apparmor messages. Unfortunately that got changed on us to share selinux's 1400, and we were told to use that. This was done without changes to the message format and while apparmor messages can be made to be closer to the selinux format, apparmor messages will never fit entirely into the SE Linux AVC format.

I don't disagree that we should move back to 1500, we brought this up again about 5 years ago, and were basically told no

> It took me a few days to figure this one out and that didn't make apparmor easier to debug. If there is anything in regards to testing I can help with to solve this bug, please let me know.
> 
> 
no it doesn't make doesn't make apparmor easier to debug. Really its a pita is you are used to using auditd, or some of the journalctl syntax around selinux. There are work around commands, and ways to cope but you have to learn them.

More than willing to take any help fixing this. It basically comes down to moving back to the 1500 range, which a small kernel patch, and getting auditd to take in support for it. It is something that we should wait on doing for a bit as we are making some changes to the apparmor format to make some of the fields more common. There are couple of odd was that need some improvement.