Re: [PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log
On Monday, June 02, 2014 06:00:54 PM Tony Jones wrote:
On 05/29/2014 01:31 AM, Tyler Hicks wrote:
> I'm surprised that this patch makes ausearch work correctly for AppArmor
> AVC events. The first thing that parse_avc() does is look for the
> "avc: " term in the AVCs that SELinux generates. AppArmor's AVCs
don't
> include that string, so an.avc_result and an.avc_perm would not be set,
> would they?
That patch does "work" (tested w/ svn trunk).
Right. The parsing code aborts the parse if it doesn't find required/expected
fields. So, if a field is missing, it skips the event. The --debug option will
print events that get skipped due to being malformed.
After I read your comment I
looked at the code and I was confused also as 'avc_result == AVC_UNSET' but
find_avc() which checks against UNSET isn't being called, rather the
record gets selected for output by 'n = list_get_cur(l)'
[ausearch-match.c:113]. I would need to spend more time to fully
understand what is happening in the code.
Ausearch is simple. It gathers fields only if they are relevant to the command
line flags. If auid is given, it collects those fields, but the parser expects a
well formed event or it will exclude it from the results.
Without patch, ausearch just outputs "<no matches>"
Yep. So, the question is really how to fix this. Should we have a different
function that is swung in with #ifdef WITH_APPARMOR called parse_aa_avc? Then
it can be tuned exactly for AppArmor's needs? Later, the kernel event number
can be changed and the switch/case can pick that up. Also, are there other AA
events that are missing in action? The ausearch-test should tell you.
-Steve