[apparmor] Fun with mod_apparmor / HANDLING_UNTRUSTED_INPUT

Sat, 17 Mar 2012 13:37:05 -0700 

Hello,

I reported this some time ago with old versions, but now I've seen it on 
a server with openSUSE 12.1 and AppArmor 2.7.2 again:

The HANDLING_UNTRUSTED_INPUT hat randomly accesses files which should 
only be accessed using the vhost's hat (vhost_something). This happens 
rarely, IIRC it's the first time on this server (I installed the server 
only some weeks ago, which means it is still quite bored and doesn't have
many vhosts).

The log messages I see are:

type=AVC msg=audit(1331887298.588:2807): apparmor="ALLOWED" 
operation="file_perm" parent=6465 
profile="/usr/sbin/httpd2-prefork//HANDLING_UNTRUSTED_INPUT" 
name="/home/www/example.com/httpdocs/joomla_neu/templates/system/css/system.css"
 pid=26820 comm="httpd2-prefork" requested_mask="r" denied_mask="r" fsuid=30 
ouid=20008
type=AVC msg=audit(1331887298.588:2808): apparmor="ALLOWED" 
operation="file_perm" parent=6465 
profile="/usr/sbin/httpd2-prefork//HANDLING_UNTRUSTED_INPUT" 
name="/home/www/example.com/httpdocs/joomla_neu/templates/system/css/system.css"
 pid=26820 comm="httpd2-prefork" requested_mask="r" denied_mask="r" fsuid=30 
ouid=20008
type=AVC msg=audit(1331887299.888:2809): apparmor="ALLOWED" 
operation="file_perm" parent=6465 
profile="/usr/sbin/httpd2-prefork//HANDLING_UNTRUSTED_INPUT" 
name="/home/www/example.com/httpdocs/joomla_neu/css/style.css" pid=31748 
comm="httpd2-prefork" requested_mask="r" denied_mask="r" fsuid=30 ouid=20008
type=AVC msg=audit(1331887299.888:2810): apparmor="ALLOWED" 
operation="file_perm" parent=6465 
profile="/usr/sbin/httpd2-prefork//HANDLING_UNTRUSTED_INPUT" 
name="/home/www/example.com/httpdocs/joomla_neu/css/style.css" pid=31748 
comm="httpd2-prefork" requested_mask="r" denied_mask="r" fsuid=30 ouid=20008

Looks like apache somehow failed to change to the requested hat, however
I don't see any error message reporting something like that.

The apache profile and all its hats are in complain mode.

I use one hat per vhost, my apache config is:

<VirtualHost *:80>
    AADefaultHatName vhost_something
    [...]
</VirtualHost>

Same question as last time: Do you have any idea what could cause this
and how it can be fixed?


Regards,

Christian Boltz
-- 
Achso, "danke" fuer die Beleidigung. Darf ich dich so zitieren?
Das waere praktisch als Ausrede, wenn ich mal jemanden flamen will.
    "Ist der Ruf erst ruiniert, flamed es sich ganz ungeniert"
[David Haller in suse-linux]


-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to