Estou tentando configurar um jailbash com o apparmor para registrar apenas quando a regra negar é aplicada, mas por um motivo desconhecido, pelo menos para mim, ele registra tudo o que faço nesse jailbash. Este é o meu perfil apparmor teste onde eu quero fazer o login em qualquer coisa que é excluído pelo root:
#include <tunables/global>
/usr/local/bin/jailbash flags=(complain) {
#include <abstractions/authentication>
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
capability setuid,
audit deny/test/ wx,
audit deny /test/** wx,
audit deny /test/* wx,
audit deny /bin/rm x,
}
Eu não sei porque, mas com este perfil apparmor, tudo está logado:
Oct 23 11:01:48 localhost kernel: [327841.275406] audit: type=1400 audit(1508752908.630:22786): apparmor="ALLOWED" operation="open" profile="/usr/local/bin/jailbash" name="/root/" pid=7093 comm="jailbash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 23 11:01:48 localhost kernel: [327841.277940] audit: type=1400 audit(1508752908.634:22787): apparmor="ALLOWED" operation="open" profile="/usr/local/bin/jailbash" name="/var/" pid=7127 comm="jailbash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 23 11:01:48 localhost kernel: [327841.279128] audit: type=1400 audit(1508752908.634:22788): apparmor="ALLOWED" operation="open" profile="/usr/local/bin/jailbash" name="/var/" pid=7128 comm="jailbash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 23 11:01:50 localhost kernel: [327842.740093] audit: type=1400 audit(1508752910.094:22789): apparmor="ALLOWED" operation="open" profile="/usr/local/bin/jailbash" name="/root/" pid=7093 comm="jailbash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 23 11:01:50 localhost kernel: [327842.740511] audit: type=1400 audit(1508752910.094:22790): apparmor="ALLOWED" operation="open" profile="/usr/local/bin/jailbash" name="/root/" pid=7093 comm="jailbash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 23 11:01:50 localhost kernel: [327842.740739] audit: type=1400 audit(1508752910.094:22791): apparmor="ALLOWED" operation="open" profile="/usr/local/bin/jailbash" name="/root/" pid=7093 comm="jailbash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 23 11:01:50 localhost kernel: [327842.743590] audit: type=1400 audit(1508752910.098:22792): apparmor="ALLOWED" operation="open" profile="/usr/local/bin/jailbash" name="/var/log/" pid=7129 comm="jailbash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 23 11:01:50 localhost kernel: [327842.744570] audit: type=1400 audit(1508752910.098:22793): apparmor="ALLOWED" operation="open" profile="/usr/local/bin/jailbash" name="/var/log/" pid=7130 comm="jailbash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 23 11:05:15 localhost kernel: [328047.483023] audit_printk_skb: 21 callbacks suppressed
Oct 23 11:05:15 localhost kernel: [328047.483027] audit: type=1400 audit(1508753114.836:22801): apparmor="ALLOWED" operation="exec" profile="/usr/local/bin/jailbash" name="/usr/bin/vim.basic" pid=7132 comm="jailbash" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/local/bin/jailbash//null-/usr/bin/vim.basic"
Oct 23 11:05:16 localhost kernel: [328048.326491] audit: type=1400 audit(1508753115.680:22802): apparmor="ALLOWED" operation="open" profile="/usr/local/bin/jailbash//null-/usr/bin/vim.basic" name="/etc/ld.so.cache" pid=7132 comm="vim" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 23 11:05:16 localhost kernel: [328048.326550] audit: type=1400 audit(1508753115.680:22803): apparmor="ALLOWED" operation="open" profile="/usr/local/bin/jailbash//null-/usr/bin/vim.basic" name="/lib/x86_64-linux-gnu/libm-2.23.so" pid=7132 comm="vim" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 23 11:05:19 localhost kernel: [328049.147869] audit: type=1400 audit(1508753116.500:22804): apparmor="ALLOWED" operation="open" profile="/usr/local/bin/jailbash//null-/usr/bin/vim.basic" name="/lib/x86_64-linux-gnu/libtinfo.so.5.9" pid=7132 comm="vim" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 23 11:05:19 localhost kernel: [328049.147963] audit: type=1400 audit(1508753116.500:22805): apparmor="ALLOWED" operation="open" profile="/usr/local/bin/jailbash//null-/usr/bin/vim.basic" name="/lib/x86_64-linux-gnu/libselinux.so.1" pid=7132 comm="vim" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 23 11:05:19 localhost kernel: [328049.148118] audit: type=1400 audit(1508753116.500:22806): apparmor="ALLOWED" operation="open" profile="/usr/local/bin/jailbash//null-/usr/bin/vim.basic" name="/lib/x86_64-linux-gnu/libacl.so.1.1.0" pid=7132 comm="vim" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 23 11:05:19 localhost kernel: [328051.708858] audit: type=1400 audit(1508753119.060:22807): apparmor="ALLOWED" operation="open" profile="/usr/local/bin/jailbash//null-/usr/bin/vim.basic" name="/usr/lib/x86_64-linux-gnu/libgpm.so.2" pid=7132 comm="vim" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 23 11:05:19 localhost kernel: [328051.708992] audit: type=1400 audit(1508753119.060:22808): apparmor="ALLOWED" operation="open" profile="/usr/local/bin/jailbash//null-/usr/bin/vim.basic" name="/lib/x86_64-linux-gnu/libdl-2.23.so" pid=7132 comm="vim" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 23 11:05:19 localhost kernel: [328051.710023] audit: type=1400 audit(1508753119.060:22809): apparmor="ALLOWED" operation="open" profile="/usr/local/bin/jailbash//null-/usr/bin/vim.basic" name="/usr/lib/x86_64-linux-gnu/libpython3.5m.so.1.0" pid=7132 comm="vim" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 23 11:05:19 localhost kernel: [328051.710120] audit: type=1400 audit(1508753119.060:22810): apparmor="ALLOWED" operation="open" profile="/usr/local/bin/jailbash//null-/usr/bin/vim.basic" name="/lib/x86_64-linux-gnu/libpthread-2.23.so" pid=7132 comm="vim" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 23 11:06:25 localhost kernel: [328118.165945] audit_printk_skb: 240 callbacks suppressed
Oct 23 11:06:25 localhost kernel: [328118.165950] audit: type=1400 audit(1508753185.520:22891): apparmor="ALLOWED" operation="open" profile="/usr/local/bin/jailbash//null-/usr/bin/vim.basic" name="/root/.viminfo" pid=7132 comm="vim" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 23 11:06:25 localhost kernel: [328118.165995] audit: type=1400 audit(1508753185.520:22892): apparmor="ALLOWED" operation="mknod" profile="/usr/local/bin/jailbash//null-/usr/bin/vim.basic" name="/root/.viminfo.tmp" pid=7132 comm="vim" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Oct 23 11:06:25 localhost kernel: [328118.166072] audit: type=1400 audit(1508753185.520:22893): apparmor="ALLOWED" operation="open" profile="/usr/local/bin/jailbash//null-/usr/bin/vim.basic" name="/root/.viminfo.tmp" pid=7132 comm="vim" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
Oct 23 11:06:25 localhost kernel: [328118.166088] audit: type=1400 audit(1508753185.520:22894): apparmor="ALLOWED" operation="chown" profile="/usr/local/bin/jailbash//null-/usr/bin/vim.basic" name="/root/.viminfo.tmp" pid=7132 comm="vim" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Oct 23 11:06:25 localhost kernel: [328118.166396] audit: type=1400 audit(1508753185.520:22895): apparmor="ALLOWED" operation="unlink" profile="/usr/local/bin/jailbash//null-/usr/bin/vim.basic" name="/root/.viminfo" pid=7132 comm="vim" requested_mask="d" denied_mask="d" fsuid=0 ouid=0
Oct 23 11:06:25 localhost kernel: [328118.166485] audit: type=1400 audit(1508753185.520:22896): apparmor="ALLOWED" operation="rename_src" profile="/usr/local/bin/jailbash//null-/usr/bin/vim.basic" name="/root/.viminfo.tmp" pid=7132 comm="vim" requested_mask="wrd" denied_mask="wrd" fsuid=0 ouid=0
Oct 23 11:06:25 localhost kernel: [328118.166491] audit: type=1400 audit(1508753185.520:22897): apparmor="ALLOWED" operation="rename_dest" profile="/usr/local/bin/jailbash//null-/usr/bin/vim.basic" name="/root/.viminfo" pid=7132 comm="vim" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
Oct 23 11:06:25 localhost kernel: [328118.266867] audit: type=1400 audit(1508753185.620:22898): apparmor="ALLOWED" operation="unlink" profile="/usr/local/bin/jailbash//null-/usr/bin/vim.basic" name="/etc/apparmor.d/.usr.local.bin.jailbash.swp" pid=7132 comm="vim" requested_mask="d" denied_mask="d" fsuid=0 ouid=0
Alguém sabe como evitar o registro de tudo, exceto o diretório mencionado no perfil?
Obrigado!