AppArmor无内核及系统日志的问题及解决

在AppArmor中，正常情况下，一旦违反了规则，是能够在内核及系统日志中看到相关信息的。比如：在Ubuntu下正常产生的日志信息（示例）如下：

kernel: [140321.028000] audit(1191433716.584:1578):  type=1502 operation=”inode_create” requested_mask=”w” denied_mask=”w” name=”/home/n1/Desktop/abc” pid=4864 profile=”/home/n1/Desktop/testapp”
kernel: [140362.236000] audit(1191433758.086:1579):  type=1502 operation=”inode_permission” requested_mask=”r” denied_mask=”r” name=”/home/n1/Desktop/abcd” pid=4877 profile=”/home/n1/Desktop/testapp”

根据以上日志信息，定位到产生此日志的内核代码是security/apparmor/audit.c中的audit_pre函数。audit_pre函数在<linux内核源码根目录>/security/apparmor/audit.c中，代码如下：

/*** audit_base - core AppArmor function.* @ab: audit buffer to fill (NOT NULL)* @ca: audit structure containing data to audit (NOT NULL)** Record common AppArmor audit data from @sa*/
static void audit_pre(struct audit_buffer *ab, void *ca)
{struct common_audit_data *sa = ca;if (aa_g_audit_header) {audit_log_format(ab, "apparmor=\"%s\"",aa_audit_type[aad(sa)->type]);}if (aad(sa)->op) {audit_log_format(ab, " operation=\"%s\"", aad(sa)->op);}if (aad(sa)->info) {audit_log_format(ab, " info=\"%s\"", aad(sa)->info);if (aad(sa)->error)audit_log_format(ab, " error=%d", aad(sa)->error);}if (aad(sa)->label) {struct aa_label *label = aad(sa)->label;if (label_isprofile(label)) {struct aa_profile *profile = labels_profile(label);if (profile->ns != root_ns) {audit_log_format(ab, " namespace=");audit_log_untrustedstring(ab,profile->ns->base.hname);}audit_log_format(ab, " profile=");audit_log_untrustedstring(ab, profile->base.hname);} else {audit_log_format(ab, " label=");aa_label_xaudit(ab, root_ns, label, FLAG_VIEW_SUBNS,GFP_ATOMIC);}}if (aad(sa)->name) {audit_log_format(ab, " name=");audit_log_untrustedstring(ab, aad(sa)->name);}
}

而audit_pre函数是在同文件中的aa_audit_msg函数中被调用的，该函数代码如下：

/*** aa_audit_msg - Log a message to the audit subsystem* @sa: audit event structure (NOT NULL)* @cb: optional callback fn for type specific fields (MAYBE NULL)*/
void aa_audit_msg(int type, struct common_audit_data *sa,void (*cb) (struct audit_buffer *, void *))
{aad(sa)->type = type;common_lsm_audit(sa, audit_pre, cb);
}

common_lsm_audit函数在security/lsm_audit.c中实现，代码如下：

/*** common_lsm_audit - generic LSM auditing function* @a:  auxiliary audit data* @pre_audit: lsm-specific pre-audit callback* @post_audit: lsm-specific post-audit callback** setup the audit buffer for common security information* uses callback to print LSM specific information*/
void common_lsm_audit(struct common_audit_data *a,void (*pre_audit)(struct audit_buffer *, void *),void (*post_audit)(struct audit_buffer *, void *))
{struct audit_buffer *ab;if (a == NULL)return;/* we use GFP_ATOMIC so we won't sleep */ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN,AUDIT_AVC);if (ab == NULL)return;if (pre_audit)pre_audit(ab, a);dump_common_audit_data(ab, a);if (post_audit)post_audit(ab, a);audit_log_end(ab);
}

在此函数开头处加入打印语句，如：printk(KERN_ERR "daozhelilema? phph?");，观察/var/log/kern.log或/var/log/syslog文件，看是否出现此打印信息。

重新编译内核并烧录及重启后，重新通过sudo aa-genprof test_app生成规则文件。然后再次执行./test_app abc，同时通过tail -f /var/log/kern.log看是否有打印。

/var/log/kern.log中最终出现以下打印：

Apr 27 14:45:55 Ding-Perlis-MP260S48 kernel: [  645.816085] daozhelilema? phph?

说明能够到common_lsm_audit函数。

在此函数中继续添加更多打印，观察是否能够进入common_lsm_audit函数中的pre_audit即实际的audit_pre函数。加入更多打印后的comon_lsm_audit函数代码如下：

void common_lsm_audit(struct common_audit_data *a,void (*pre_audit)(struct audit_buffer *, void *),void (*post_audit)(struct audit_buffer *, void *))
{struct audit_buffer *ab;
printk(KERN_ERR "daozhelilema? phph?");if (a == NULL)return;/* we use GFP_ATOMIC so we won't sleep */ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN,AUDIT_AVC);
printk(KERN_ERR "daozhelilema2? phph?");if (ab == NULL)return;
printk(KERN_ERR "daozhelilema3? phph?");if (pre_audit){printk(KERN_ERR "daozhelilema4? phph?");pre_audit(ab, a);}dump_common_audit_data(ab, a);if (post_audit)post_audit(ab, a);audit_log_end(ab);
}

重复前述步骤，最终看到/var/log/kern.log出现如下打印：

Apr 27 15:01:43 Ding-Perlis-MP260S48 kernel: [  179.266281] daozhelilema? phph?
Apr 27 15:01:43 Ding-Perlis-MP260S48 kernel: [  179.266288] daozhelilema2? phph?
Apr 27 15:01:43 Ding-Perlis-MP260S48 kernel: [  179.266290] daozhelilema3? phph?
Apr 27 15:01:43 Ding-Perlis-MP260S48 kernel: [  179.26630] daozhelilema4? phph?

再次深入跟进，这一次连同security/apparmor/audit.c中的audit_pre函数一起加上打印，代码如下所示：

static void audit_pre(struct audit_buffer *ab, void *ca)
{struct common_audit_data *sa = ca;
printk(KERN_ERR "daozhelilema11? phph?\n");if (aa_g_audit_header) {printk(KERN_ERR "daozhelilema22? phph?\n");audit_log_format(ab, "apparmor=\"%s\"",aa_audit_type[aad(sa)->type]);}
printk(KERN_ERR "daozhelilema33? phph?\n");if (aad(sa)->op) {printk(KERN_ERR "daozhelilema44? phph?\n");audit_log_format(ab, " operation=\"%s\"", aad(sa)->op);}
printk(KERN_ERR "daozhelilema55? phph?\n");if (aad(sa)->info) {printk(KERN_ERR "daozhelilema66? phph?\n");audit_log_format(ab, " info=\"%s\"", aad(sa)->info);if (aad(sa)->error)audit_log_format(ab, " error=%d", aad(sa)->error);}
printk(KERN_ERR "daozhelilema77? phph?\n");if (aad(sa)->label) {struct aa_label *label = aad(sa)->label;if (label_isprofile(label)) {struct aa_profile *profile = labels_profile(label);if (profile->ns != root_ns) {audit_log_format(ab, " namespace=");audit_log_untrustedstring(ab,profile->ns->base.hname);}audit_log_format(ab, " profile=");audit_log_untrustedstring(ab, profile->base.hname);} else {audit_log_format(ab, " label=");aa_label_xaudit(ab, root_ns, label, FLAG_VIEW_SUBNS,GFP_ATOMIC);}}if (aad(sa)->name) {audit_log_format(ab, " name=");audit_log_untrustedstring(ab, aad(sa)->name);}
}

comon_lsm_audit函数中的打印语句也完善一下：

void common_lsm_audit(struct common_audit_data *a,void (*pre_audit)(struct audit_buffer *, void *),void (*post_audit)(struct audit_buffer *, void *))
{struct audit_buffer *ab;
printk(KERN_ERR "daozhelilema? phph?\n");if (a == NULL)return;/* we use GFP_ATOMIC so we won't sleep */ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN,AUDIT_AVC);
printk(KERN_ERR "daozhelilema2? phph?\n");if (ab == NULL)return;
printk(KERN_ERR "daozhelilema3? phph?\n");if (pre_audit){printk(KERN_ERR "daozhelilema4? phph?\n");pre_audit(ab, a);}
printk(KERN_ERR "daozhelilema5? phph?\n");dump_common_audit_data(ab, a);if (post_audit)post_audit(ab, a);audit_log_end(ab);
}

重复前述步骤，最终看到/var/log/kern.log出现如下打印：

Apr 28 10:16:05 Ding-Perlis-MP260S48 kernel: [ 2254.729542] daozhelilema? phph?
Apr 28 10:16:05 Ding-Perlis-MP260S48 kernel: [ 2254.729559] daozhelilema2? phph?
Apr 28 10:16:05 Ding-Perlis-MP260S48 kernel: [ 2254.729563] daozhelilema3? phph?
Apr 28 10:16:05 Ding-Perlis-MP260S48 kernel: [ 2254.729566] daozhelilema4? phph?
Apr 28 10:16:05 Ding-Perlis-MP260S48 kernel: [ 2254.729569] daozhelilema11? phph?
Apr 28 10:16:05 Ding-Perlis-MP260S48 kernel: [ 2254.729573] daozhelilema22? phph?
Apr 28 10:16:05 Ding-Perlis-MP260S48 kernel: [ 2254.729577] daozhelilema33? phph?
Apr 28 10:16:05 Ding-Perlis-MP260S48 kernel: [ 2254.729580] daozhelilema44? phph?
Apr 28 10:16:05 Ding-Perlis-MP260S48 kernel: [ 2254.729584] daozhelilema55? phph?
Apr 28 10:16:05 Ding-Perlis-MP260S48 kernel: [ 2254.729587] daozhelilema77? phph?
Apr 28 10:16:05 Ding-Perlis-MP260S48 kernel: [ 2254.729591] daozhelilema5? phph?

这样看来是audit_pre函数已经调用到了，但是audit_log_format函数没有起作用。看一下其实现，在kernel/audit.c中，代码如下：

/*** audit_log_format - format a message into the audit buffer.* @ab: audit_buffer* @fmt: format string* @...: optional parameters matching @fmt string** All the work is done in audit_log_vformat.*/
void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
{va_list args;if (!ab)return;va_start(args, fmt);audit_log_vformat(ab, fmt, args);va_end(args);
}

在audie_log_format函数中也加上打印，如下所示：

void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
{va_list args;
printk(KERN_ERR "daozhelilema   88? phph?\n");if (!ab)return;
printk(KERN_ERR "daozhelilema   99? phph?\n");va_start(args, fmt);audit_log_vformat(ab, fmt, args);va_end(args);
}

 重复前述步骤，最终看到/var/log/kern.log出现如下打印：

Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269097] daozhelilema? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269113] daozhelilema   88? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269117] daozhelilema   99? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269121] daozhelilema2? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269125] daozhelilema3? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269128] daozhelilema4? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269132] daozhelilema11? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269135] daozhelilema22? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269139] daozhelilema   88? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269142] daozhelilema   99? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269146] daozhelilema33? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269150] daozhelilema44? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269153] daozhelilema   88? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269157] daozhelilema   99? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269160] daozhelilema55? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269164] daozhelilema77? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269167] daozhelilema   88? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269171] daozhelilema   99? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269175] daozhelilema   88? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269178] daozhelilema   99? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269182] daozhelilema5? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269185] daozhelilema   88? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269189] daozhelilema   99? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269193] daozhelilema   88? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269197] daozhelilema   99? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269200] daozhelilema   88? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269204] daozhelilema   99? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269207] daozhelilema   88? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269211] daozhelilema   99? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269214] daozhelilema   88? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269218] daozhelilema   99? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269233] daozhelilema   88? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269236] daozhelilema   99? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269240] daozhelilema   88? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269244] daozhelilema   99? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269248] daozhelilema   88? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269251] daozhelilema   99? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269255] daozhelilema   88? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269258] daozhelilema   99? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269265] daozhelilema   88? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269268] daozhelilema   99? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269274] daozhelilema   88? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269277] daozhelilema   99? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269281] daozhelilema   88? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269284] daozhelilema   99? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269295] daozhelilema   88? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269298] daozhelilema   99? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269302] daozhelilema   88? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269305] daozhelilema   99? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269309] daozhelilema   88? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269312] daozhelilema   99? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269321] daozhelilema   88? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269324] daozhelilema   99? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269328] daozhelilema   88? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269331] daozhelilema   99? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269344] daozhelilema   88? phph?
Apr 28 10:55:39 Ding-Perlis-MP260S48 kernel: [  300.269347] daozhelilema   99? phph?

可见，audit_log_format也进入了，并且ab这个指针变量也已经赋值。那么剩下的就只有va_start到va_end这一段代码了，核心函数是audit_log_vformat，其位于同文件（kernel/audit.c）中，就在audit_log_format函数的上边，代码如下：

/** Format an audit message into the audit buffer.  If there isn't enough* room in the audit buffer, more room will be allocated and vsnprint* will be called a second time.  Currently, we assume that a printk* can't format message larger than 1024 bytes, so we don't either.*/
static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,va_list args)
{int len, avail;struct sk_buff *skb;va_list args2;if (!ab)return;BUG_ON(!ab->skb);skb = ab->skb;avail = skb_tailroom(skb);if (avail == 0) {avail = audit_expand(ab, AUDIT_BUFSIZ);if (!avail)goto out;}va_copy(args2, args);len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args);if (len >= avail) {/* The printk buffer is 1024 bytes long, so if we get* here and AUDIT_BUFSIZ is at least 1024, then we can* log everything that printk could have logged. */avail = audit_expand(ab,max_t(unsigned, AUDIT_BUFSIZ, 1+len-avail));if (!avail)goto out_va_end;len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args2);}if (len > 0)skb_put(skb, len);
out_va_end:va_end(args2);
out:return;
}

在此函数中继续添加打印语句，如下所示：

static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,va_list args)
{int len, avail;struct sk_buff *skb;va_list args2;if (!ab)return;BUG_ON(!ab->skb);skb = ab->skb;
printk(KERN_ERR "daozhelilema101010?    phph?\n");avail = skb_tailroom(skb);if (avail == 0) {avail = audit_expand(ab, AUDIT_BUFSIZ);if (!avail){printk(KERN_ERR "daozhelilema111111?     phph?\n");goto out;}}
printk(KERN_ERR "daozhelilema222222?    phph?\n");va_copy(args2, args);len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args);if (len >= avail) {/* The printk buffer is 1024 bytes long, so if we get* here and AUDIT_BUFSIZ is at least 1024, then we can* log everything that printk could have logged. */avail = audit_expand(ab,max_t(unsigned, AUDIT_BUFSIZ, 1+len-avail));if (!avail){printk(KERN_ERR "daozhelilema333333?    phph?\n");goto out_va_end;}len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args2);}if (len > 0){printk(KERN_ERR "daozhelilema444444?      phph?\n");skb_put(skb, len);}
out_va_end:va_end(args2);
out:return;
}

重复前述步骤，最终看到/var/log/kern.log出现如下打印：

Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498300] daozhelilema? phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498315] daozhelilema101010?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498318] daozhelilema222222?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498323] daozhelilema444444?      phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498326] daozhelilema2? phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498329] daozhelilema3? phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498332] daozhelilema4? phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498336] daozhelilema11? phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498339] daozhelilema22? phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498342] daozhelilema101010?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498345] daozhelilema222222?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498349] daozhelilema444444?      phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498352] daozhelilema33? phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498355] daozhelilema44? phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498358] daozhelilema101010?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498361] daozhelilema222222?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498365] daozhelilema444444?      phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498368] daozhelilema55? phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498371] daozhelilema77? phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498374] daozhelilema101010?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498377] daozhelilema222222?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498380] daozhelilema444444?      phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498384] daozhelilema101010?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498387] daozhelilema222222?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498390] daozhelilema444444?      phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498394] daozhelilema5? phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498397] daozhelilema101010?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498400] daozhelilema222222?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498403] daozhelilema444444?      phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498408] daozhelilema101010?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498411] daozhelilema222222?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498414] daozhelilema444444?      phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498417] daozhelilema101010?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498420] daozhelilema222222?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498423] daozhelilema444444?      phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498427] daozhelilema101010?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498430] daozhelilema222222?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498433] daozhelilema444444?      phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498436] daozhelilema101010?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498439] daozhelilema222222?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498442] daozhelilema444444?      phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498458] daozhelilema101010?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498462] daozhelilema222222?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498465] daozhelilema444444?      phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498469] daozhelilema101010?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498471] daozhelilema222222?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498475] daozhelilema444444?      phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498478] daozhelilema101010?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498481] daozhelilema222222?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498485] daozhelilema444444?      phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498489] daozhelilema101010?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498492] daozhelilema222222?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498496] daozhelilema444444?      phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498501] daozhelilema101010?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498504] daozhelilema222222?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498509] daozhelilema444444?      phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498512] daozhelilema101010?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498515] daozhelilema222222?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498518] daozhelilema444444?      phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498523] daozhelilema101010?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498526] daozhelilema222222?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498529] daozhelilema444444?      phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498538] daozhelilema101010?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498541] daozhelilema222222?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498545] daozhelilema444444?      phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498548] daozhelilema101010?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498552] daozhelilema222222?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498555] daozhelilema444444?      phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498558] daozhelilema101010?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498561] daozhelilema222222?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498564] daozhelilema444444?      phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498570] daozhelilema101010?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498574] daozhelilema222222?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498577] daozhelilema444444?      phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498580] daozhelilema101010?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498583] daozhelilema222222?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498586] daozhelilema444444?      phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498599] daozhelilema101010?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498602] daozhelilema222222?    phph?
Apr 28 11:23:09 Ding-Perlis-MP260S48 kernel: [  615.498606] daozhelilema444444?      phph?

由此可见，自行加入的打印能够正常打印出来即产生在内核日志文件中（不包括if语句中的打印语句），而skb开头的相关语句仍然不能在内核日志中输出信息。

综上情况表明：没有日志的问题根源并不是AppArmor本身的问题，基本上可以断定是skb相关的内核代码及选项的问题。