Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aa-log mistakes peer=(name=...) for name=... #73

Closed
nobody43 opened this issue Sep 6, 2022 · 8 comments
Closed

aa-log mistakes peer=(name=...) for name=... #73

nobody43 opened this issue Sep 6, 2022 · 8 comments

Comments

@nobody43
Copy link
Contributor

nobody43 commented Sep 6, 2022 

 lightdm dbus_method_call org.freedesktop.Accounts send bus=system path=/org/freedesktop/Accounts/User1000 interface=org.freedesktop.DBus.Properties member=GetAll type=1107 peer_label=accounts-daemon auid=4294967295 ses=4294967295 subj=? uid=102 msg='apparmor
 lightdm dbus_signal :1.6 receive bus=system path=/org/freedesktop/Accounts/User1000 interface=org.freedesktop.Accounts.User member=Changed subj=? type=1107 uid=102 auid=4294967295 msg='apparmor peer_label=accounts-daemon ses=4294967295

Sep  6 11:23:47 xubuntu-lts kernel: [   31.024982] audit: type=1107 audit(1662459827.500:1420): pid=1567 uid=102 auid=4294967295 ses=4294967295 subj=? msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/Accounts/User1000" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.Accounts" pid=1693 label="lightdm" peer_pid=1559 peer_label="accounts-daemon"
Sep  6 11:26:12 xubuntu-lts kernel: [  175.272924] audit: type=1107 audit(1662459972.826:4277): pid=1567 uid=102 auid=4294967295 ses=4294967295 subj=? msg='apparmor="ALLOWED" operation="dbus_signal"  bus="system" path="/org/freedesktop/Accounts/User1000" interface="org.freedesktop.Accounts.User" member="Changed" name=":1.6" mask="receive" pid=1693 label="lightdm" peer_pid=1559 peer_label="accounts-daemon"
@roddhjav
Copy link
Owner

roddhjav commented Sep 6, 2022

Could you tell me what's the issue here? This is not a mistake, more a representation decision as there is no name= in dbus rules.

The real issue is that aa-log should have removed everything before apparmor="ALLOWED". I will fix this soon.

@nobody43
Copy link
Contributor Author

nobody43 commented Sep 6, 2022

Because this information is not about profile itself, but about it's neighbor (peer). Known confusion in naming, same with unix's peers and labels. Sure fixing it in the kernel is out of the scope of this project. Maybe name for dbus can be omitted, resulting in something like profile parser wants:

lightdm dbus_signal receive bus=system path=/org/freedesktop/Accounts/User1000 interface=org.freedesktop.Accounts.User member=Changed peer=(name=:1.6, label=accounts-daemon)

The real issue is that aa-log should have removed everything before apparmor="ALLOWED".

Perhaps it's because I passed /var/log/syslog to aa-log. :) Now I see there's no dbus entries in /var/log/audit/audit.log.

@roddhjav
Copy link
Owner

roddhjav commented Sep 6, 2022

You are right, I will update the way dbus logs are printed.

Yes, /var/log/audit/audit.log does not include dbus session entry. As syslog is not present on some distribution (arch), aa-log has an option (-d) to only show dbus session entry using journalctl.

@nobody43
Copy link
Contributor Author

nobody43 commented Sep 7, 2022

A note here. DBus can have name, without peer, but only with bind operation:

type=USER_AVC msg=audit(1662575819.496:1487): pid=2009 uid=0 auid=0 ses=2 subj=? msg='apparmor="ALLOWED" operation="dbus_bind"  bus="session" name="org.freedesktop.impl.portal.PermissionStore" mask="bind" pid=2024 label="xdg-permission-store"  exe="/usr/bin/dbus-daemon" sauid=0 hostname=? addr=? terminal=?'UID="root" AUID="root" SAUID="root"

ALLOWED xdg-permission-store dbus_bind org.freedesktop.impl.portal.PermissionStore bind bus=session

  dbus bind bus=session
       name=org.freedesktop.impl.portal.PermissionStore,

@nobody43
Copy link
Contributor Author

unix:

type=AVC msg=audit(1663014464.673:1689): apparmor="ALLOWED" operation="connect" profile="gnome-control-center" pid=3746 comm="pool-gnome-cont" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send receive connect" addr=none peer_addr="@/home/testuser/.cache/ibus/dbus-v7Mb0EsW" peer="ibus-daemon"

ALLOWED gnome-control-center connect comm=pool-gnome-cont family=unix sock_type=stream protocol=0 requested_mask="send receive connect" denied_mask="send receive connect" peer=ibus-daemon addr=none peer_addr=@/home/testuser/.cache/ibus/dbus-v7Mb0EsW

unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-*", label=ibus-daemon),

Total confusion.

@roddhjav
Copy link
Owner

Fixed long ago.

@curiosityseeker
Copy link
Contributor

Yes, /var/log/audit/audit.log does not include dbus session entry. As syslog is not present on some distribution (arch), aa-log has an option (-d) to only show dbus session entry using journalctl.

The -d switch is obviously succeeded by the -s switch. However, when I tried that I got the error message:

json: cannot unmarshal array into Go struct field systemdLog.MESSAGE of type string

@roddhjav
Copy link
Owner

This is usually when the output of journalctl is empty. I still need to fix this (it works find most of the time).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@roddhjav @nobody43 @curiosityseeker