[PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log
Steve Grubb
sgrubb at redhat.com
Tue Jun 3 14:47:17 UTC 2014
On Monday, June 02, 2014 06:00:54 PM Tony Jones wrote:
> On 05/29/2014 01:31 AM, Tyler Hicks wrote:
> > I'm surprised that this patch makes ausearch work correctly for AppArmor
> > AVC events. The first thing that parse_avc() does is look for the
> > "avc: " term in the AVCs that SELinux generates. AppArmor's AVCs don't
> > include that string, so an.avc_result and an.avc_perm would not be set,
> > would they?
>
> That patch does "work" (tested w/ svn trunk).
Right. The parsing code aborts the parse if it doesn't find required/expected
fields. So, if a field is missing, it skips the event. The --debug option will
print events that get skipped due to being malformed.
> After I read your comment I
> looked at the code and I was confused also as 'avc_result == AVC_UNSET' but
> find_avc() which checks against UNSET isn't being called, rather the
> record gets selected for output by 'n = list_get_cur(l)'
> [ausearch-match.c:113]. I would need to spend more time to fully
> understand what is happening in the code.
Ausearch is simple. It gathers fields only if they are relevant to the command
line flags. If auid is given, it collects those fields, but the parser expects a
well formed event or it will exclude it from the results.
> Without patch, ausearch just outputs "<no matches>"
Yep. So, the question is really how to fix this. Should we have a different
function that is swung in with #ifdef WITH_APPARMOR called parse_aa_avc? Then
it can be tuned exactly for AppArmor's needs? Later, the kernel event number
can be changed and the switch/case can pick that up. Also, are there other AA
events that are missing in action? The ausearch-test should tell you.
-Steve
More information about the Linux-audit
mailing list