[Apparmor-general] problem with profiling sshd under OpenSuSE 10.2

Tue Feb 6 10:56:26 MST 2007

On Tue, Feb 06, 2007 at 08:14:34AM -0800, John Johansen wrote:
> On Tue, Feb 06, 2007 at 01:14:41PM +0100, ps wrote:
> > I have read what you wrote and I'm not sure if I understand you
> > corectly. This log trail which I have found in audit.log:
> > "type=APPARMOR msg=audit(1170534772.421:7743): REJECTING access to
> > capability 'invalid-capability' (sshd(18736) profile /usr/sbin/sshd
> > active /usr/sbin/sshd)"
> > meens that there is unknow capability in Opensuse 10.2 kernel?
> Not quite.  The capability is known but the apparmor module was missing
> the strings to correctly report the two audit capabilities.  So
> cap audit_write and audit_control get reported as 'invalid-capability',
> but the kernel and and the apparmor module enforce them correctly.
>
> > some part of apparmor(parser) is incomplete and don't recognize all
> > available capabilities supported by kernel 2.6.18.2-34-default?
> incomplete yes it can't report them correctly but it does recognize them.

I verified the pristine parser in openSUSE 10.2 does include support for
the audit_write and audit_control capabilities.

> > > Most likely sshd desires the audit_write capability to write an
> > > authentication audit record. audit_control should only be needed by
> > > auditd, auditctl, and possibly other audit tools, if my reading of a
> > > recent capabilities(7) manpage conforms to reality.
> > I tried audit_write capability in sshd profile but it didn't work.
> > I couldn't login(I got: "connection close") and I received in audid.log:
> > "type=APPARMOR msg=audit(1170763864.445:24): REJECTING access to
> > capability 'invalid-capability' (sshd(7773) profile /usr/sbin/sshd
> > active /usr/sbin/sshd)"
> > 
> > It meens that adding this capability don't help and is not what sshd
> > wants(?)
> > 
> It would seem so, did you try audit_control?  sshd shouldn't need
> it but that doesn't stop developers from trying to use it.

Hmm, it looks like a bug in the kernel audit subsystem to me; I
successfully duplicated this on a pristine openSUSE 10.2 machine, and
sure enough, sshd needs the audit_control capability immediately after
writing to /proc/<pid>/loginuid.

Looking at the mainline kernel tree at
fs/proc/base.c::proc_loginuid_write(), the first line of real code in
the function is:

	if (!capable(CAP_AUDIT_CONTROL))
		return -EPERM;

This seems to be counter to what the capabilities(7) manpage says.
-- 
Steve Beattie
SUSE Labs, Novell Inc. 
<sbeattie at suse.de>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-general/attachments/20070206/9fb27cce/attachment.pgp