AppArmor - logfile messages - help understanding please

nerderello · October 8, 2014, 7:43pm

Hi,
trying to understand just what the log messages from AppArmor are saying. I have Firefox in complain mode and I get these:

kernel: 1880.786478] type=1400 audit(1401791953.689:5908): apparmor=“ALLOWED” operation=“exec” parent=20103 profile=“/usr/lib64/firefox{,-[0-9]}/firefox{,^s]^h]}” name=“/usr/lib64/firefox/plugin-container” pid=22076 comm=“Gecko_IOThread” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0 target=“/usr/lib64/firefox{,-[0-9]}/firefox{,^s]^h]}//null-7”

kernel: 1880.813477] type=1400 audit(1401791953.716:5909): apparmor=“ALLOWED” operation=“open” parent=20103 profile=“/usr/lib64/firefox{,-[0-9]}/firefox{,^s]^h]}//null-7” name=“/usr/lib64/firefox/libxul.so” pid=22076 comm=“plugin-containe” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0

kernel: 1880.813527] type=1400 audit(1401791953.716:5910): apparmor=“ALLOWED” operation=“getattr” parent=20103 profile=“/usr/lib64/firefox{,-[0-9]}/firefox{,^s]^h]}//null-7” name=“/usr/lib64/firefox/libxul.so” pid=22076 comm=“plugin-containe” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0

kernel: 1880.813554] type=1400 audit(1401791953.716:5911): apparmor=“ALLOWED” operation=“file_mmap” parent=20103 profile=“/usr/lib64/firefox{,-[0-9]}/firefox{,^s]^h]}//null-7” name=“/usr/lib64/firefox/libxul.so” pid=22076 comm=“plugin-containe” requested_mask=“mr” denied_mask=“mr” fsuid=1000 ouid=0

kernel: 1880.813713] type=1400 audit(1401791953.716:5912): apparmor=“ALLOWED” operation=“open” parent=20103 profile=“/usr/lib64/firefox{,-[0-9]}/firefox{,^s]^h]}//null-7” name=“/etc/ld.so.cache” pid=22076 comm=“plugin-containe” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0

kernel: 1880.813733] type=1400 audit(1401791953.716:5913): apparmor=“ALLOWED” operation=“getattr” parent=20103 profile=“/usr/lib64/firefox{,-[0-9]}/firefox{,^s]^h]}//null-7” name=“/etc/ld.so.cache” pid=22076 comm=“plugin-containe” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0

kernel: 1880.813831] type=1400 audit(1401791953.716:5914): apparmor=“ALLOWED” operation=“open” parent=20103 profile=“/usr/lib64/firefox{,-[0-9]}/firefox{,^s]^h]}//null-7” name=“/usr/lib64/libstdc++.so.6.0.18” pid=22076 comm=“plugin-containe” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0

kernel: 1880.813857] type=1400 audit(1401791953.716:5915): apparmor=“ALLOWED” operation=“getattr” parent=20103 profile=“/usr/lib64/firefox{,-[0-9]}/firefox{,^s]^h]}//null-7” name=“/usr/lib64/libstdc++.so.6.0.18” pid=22076 comm=“plugin-containe” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0

kernel: 1880.813889] type=1400 audit(1401791953.716:5916): apparmor=“ALLOWED” operation=“file_mmap” parent=20103 profile=“/usr/lib64/firefox{,-[0-9]}/firefox{,^s]^h]}//null-7” name=“/usr/lib64/libstdc++.so.6.0.18” pid=22076 comm=“plugin-containe” requested_mask=“mr” denied_mask=“mr” fsuid=1000 ouid=0

I take it that the “parent=20103” is the ID of the Firefox application. and the “name=xxxxxxx” is the thing that is causing the message event (and that this is what might need to be added to the profile), but what are:

“pid=” which is a process ID, but of what?
“comm=” which I guess is short for “command” but what is doing this command, or is it short for “communication”?
“fsuid=” which is a user ID for the filesystem, but of what?
“ouid=” ?

thanks in advance
nerderello

robin_listas · October 9, 2014, 3:48pm

On 2014-10-08 19:46, nerderello wrote:
>
> Hi,
> trying to understand just what the log messages from AppArmor are
> saying.

man apparmor → http://wiki.apparmor.net →

→ Documentation about the AppArmor security project →
http://wiki.apparmor.net/index.php/Documentation

→ AppArmor on Suse
http://activedoc.opensuse.org/book/opensuse-security-guide

> I have Firefox in complain mode and I get these:

>> kernel: 1880.786478] type=1400 audit(1401791953.689:5908):
>> apparmor=“ALLOWED” operation=“exec” parent=20103
>> profile="/usr/lib64/firefox{,-[0-9]}/firefox{,^s]^h]}"
>> name="/usr/lib64/firefox/plugin-container" pid=22076
>> comm=“Gecko_IOThread” requested_mask=“x” denied_mask=“x” fsuid=1000
>> ouid=0 target="/usr/lib64/firefox{,-[0-9]}/firefox{,^s]^h]}//null-7"

A comment: When pasting here computer commands and such, please use a
CODE BLOCK, so that the forum software doesn’t do silly things like
converting URLS to tiny urls or otherwise hide or alter the commands you
entered. You get them by clicking on the ‘#’ button in the forum editor.
http://susepaste.org/images/15093674.jpg

–
Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

nerderello · October 11, 2014, 6:56pm

Robin, thanks for the reply. I’ve taken note of the forum editing point (will use # button in the future).

Thanks for the links, but I’d already been to all of them, plus a whole load that are really only for Ubuntu users. Sadly none of them really explain what is what in the log messages. The closest I got was for Ubuntu and they look similar but different from the opensuse ones (I’m an Ubuntu refugee and had just about gotten on top of AppArmor in Ubuntu, but have noticed some differences and was trying to get some leads on these).

thanks again

Nerderello

robin_listas · October 11, 2014, 7:33pm

On 2014-10-11 19:06, nerderello wrote:
>
> Robin, thanks for the reply. I’ve taken note of the forum editing point
> (will use # button in the future).
>
> Thanks for the links, but I’d already been to all of them, plus a whole
> load that are really only for Ubuntu users.

At least one is the openSUSE manual.

> Sadly none of them really
> explain what is what in the log messages. The closest I got was for
> Ubuntu and they look similar but different from the opensuse ones (I’m
> an Ubuntu refugee and had just about gotten on top of AppArmor in
> Ubuntu, but have noticed some differences and was trying to get some
> leads on these).

Mmm… what is your goal? I mean, if you intend to adjust a profile,
there are easier ways. Like using aa-logprof.

–
Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

alanbortu · October 12, 2014, 2:57pm

On 10/11/2014 01:06 PM, nerderello wrote:
>
> Robin, thanks for the reply. I’ve taken note of the forum editing point
> (will use # button in the future).
>
> Thanks for the links, but I’d already been to all of them, plus a whole
> load that are really only for Ubuntu users. Sadly none of them really
> explain what is what in the log messages. The closest I got was for
> Ubuntu and they look similar but different from the opensuse ones (I’m
> an Ubuntu refugee and had just about gotten on top of AppArmor in
> Ubuntu, but have noticed some differences and was trying to get some
> leads on these).
>
> thanks again
>
> Nerderello
>
>

You can ask aa related questions in the IRC channel (server:
irc.oftc.net, channel: #apparmor)

–
openSUSE Factory 64 bit
KDE 4.14.0