Skip to content
GitLab
Open
Issue created by Ratan Gupta@ratagupt

Apparmor is not throwing DENIAL messages

Hi Team,

I was trying to enable apparmor on the openBMC (https://github.com/openbmc/openbmc) I pulled the apparmor in the openbmc image through yocto bitbake recipe (http://git.yoctoproject.org/cgit/cgit.cgi/meta-security/tree/recipes-security/AppArmor/apparmor_2.11.0.bb?h=pyro)

Issue: Now after that I made a profile for one of the application but I am not getting any DENIAL message although my profile is empty.

What I did:

  1. I wrote the following profile

root@abc:~# cat /etc/apparmor.d/usr.bin.phosphor-network-snmpconf

Last Modified: Thu Jul 29 14:30:33 2021

#include <tunables/global>

/usr/bin/phosphor-network-snmpconf flags=(complain) {

#include <abstractions/base>

}

  1. Reload the apparmor profiles

systemctl apparmor reload

I ran the binary under complain mode through the following command.

aa-complain /usr/bin/phosphor-network-snmpconf

Setting /usr/bin/phosphor-network-snmpconf to complain mode.

[ 875.716595] kauditd_printk_skb: 40 callbacks suppressed

[ 875.716649] audit: type=1400 audit(1627637368.796:113): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="" name="/usr/bin/phosphor-network-snmpconf" pid=815 comm="apparmor_parser"

Restart the snmp service which internally calls the phosphor-network-snmpconf

systemctl restart xyz.openbmc_project.Network.SNMP.service

  1. How the above service file looks like

https://github.com/openbmc/openbmc/blob/1497c9c9c743277815d7b19f6112bf20c1e24c4f/meta-phosphor/recipes-phosphor/network/phosphor-snmp/xyz.openbmc_project.Network.SNMP.service

  1. Output of aa-status as follows:

============================

root@abc:~# aa-status

apparmor module is loaded.

48 profiles are loaded.

47 profiles are in enforce mode.

/usr/lib/apache2/mpm-prefork/apache2

/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI

/usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT

/usr/lib/apache2/mpm-prefork/apache2//phpsysinfo

apache2

apache2//DEFAULT_URI

apache2//HANDLING_UNTRUSTED_INPUT

apache2//phpsysinfo

avahi-daemon

dnsmasq

dnsmasq//libvirt_leaseshelper

dovecot

dovecot-anvil

dovecot-auth

dovecot-config

dovecot-deliver

dovecot-dict

dovecot-dovecot-auth

dovecot-dovecot-lda

dovecot-dovecot-lda//sendmail

dovecot-imap

dovecot-imap-login

dovecot-lmtp

dovecot-log

dovecot-managesieve

dovecot-managesieve-login

dovecot-pop3

dovecot-pop3-login

dovecot-script-login

dovecot-ssl-params

dovecot-stats

identd

klogd

lsb_release

mdnsd

nmbd

nscd

ntpd

php-fpm

ping

smbd

smbldap-useradd

smbldap-useradd///etc/init.d/nscd

syslog-ng

syslogd

traceroute

winbindd

1 profiles are in complain mode.

/usr/bin/phosphor-network-snmpconf

0 profiles are in kill mode.

0 profiles are in unconfined mode.

1 processes have profiles defined.

0 processes are in enforce mode.

0 processes are in complain mode.

1 processes are unconfined but have a profile defined.

/usr/bin/phosphor-network-snmpconf (825)

0 processes are in mixed mode.

0 processes are in kill mode.

  1. Source code of snmp service : https://github.com/openbmc/phosphor-snmp

Expectation was that when I run the SNMP service , it should throw the DENIAL messages but I am not getting any DENIAL messages, Only message which I am getting is for apparmor is "profile_replace"

Can you please let me know where I am making the mistake so apparmor should start throwing the AVC DENIAL message?

Edited by Ratan Gupta