when auditd logs get rotated)
- use getgrnam() with setgid when dropping to nobody_group
- add '-u USER' option to drop to this user when running priviliged but
not under sudo. Useful for starting when logged in as root.
- add a read access check before get_logfile_inode() so we don't have to
wait for the timeout in get_logfile_inode()
- set euid only when dropping privileges, instead of using POSIX::setuid()
which sets uid, euid and saved id when starting privileged
- create send_message() function which fork/execs so that we can set the
real uid before calling notify-send (notify-send looks at the real uid
when trying to connect to dbus)
- adjust reopen_logfile() to raise privileges (via euid) before accessing
logfile when $< != $>. Drop them again after open().
- also check for inode change
- update size to use stat
- treat logfile_size like logfile_inode
- update logfile_size and logfile_inode in reopen_logfile()
- add -f option to optionally specify the logfile
- when polling, check to see if the logfile size decreased, and if so, reopen
it. Currently this only works if you can read the file after dropping
privileges
For now just look at 'name=...' which is usually the last in the log entry,
so validate input against this and output based on it.
TODO: better handle other cases too
- Update matching regex for reordered kernel audit messages (when they
come through syslog). Ideally, rather than use a regex, the utils would
just use the log parsing library to determine whether it's a log even
of interest.
- fix debugging code write a logfile in /var/log/apparmor and not a
predictable location in /tmp; File::Temp would be the right solution
except that the log file is created in a BEGIN clause, and
File::Temp.new() ends up returning an unopened filehandle in that
situation, so logging fails. Someone with more perl-fu may know how to
fix that.
Fork tracking is broken by the kernel message for clone no longer supplying
the child pid correctly. Instead the parent pid will be output with each
message and the tools will fake a fork when they detect a previously
unknow parent child relationship.
/usr/bin/rsyncd) bnc#408869
The unconfined tool shows:
[...]
29799 /usr/bin/rsync not confined
29799 /usr/bin/rsync not confined
This is because unconfined is grabbing the post symlink resolved exe filename
which for /usr/sbin/rsyncd is /usr/bin/rsync.
To fix this provide both the cmdline and exec name in parenthesis when the
exe name and the cmdline name differ.
For the above example you would see
29799 /usr/bin/rsync (/usr/sbin/rsyncd) not confined
- flags being dropped from hats
- rules can be poorly split on writing the profile
- identical rules with different permissions are not properly combined, so
that only permissions of the last rule are kept
Added missing capabilities names.
Simple rlimits support. It doesn't care about range of individual limit,
you can add ie -100G stack size or 100M nice. But maybe sufficient?
- rpc was failing when passing arrays because the perl is_utf8 string flag
was set even though its only sending numbers but newer HTTP::Message
checks for this is_utf8 and if it finds it aborts.
- fix local profiles
local profiles were failing because
1.) the parameters to serialize_profile were bad
2.) the file location was not getting updated so they would get written
back to the inactive profiles directory
