Hello,

Am Mittwoch, 31. August 2016, 08:36:39 CEST schrieb Michal Kubecek:
> On Tue, Aug 30, 2016 at 11:32:38PM +0200, Christian Boltz wrote:
> > Michal, do you know if there were AppArmor-related patches added
> > between the previous 3.11 Evergreen kernel and the (AFAIK)
> > SLE-based 3.12 kernel that could explain this problem?
> 
> In general, Evergreen 13.1 kernel is mostly the same as SLE12-SP1.
> There are some differences but those are mostly fixes needed to build
> of architectures and drivers/features not built in SLE (none of them
> is AppArmor related, IIRC). And, of course, the configs are quite
> different but the AppArmor related options seem to be the same.
> 
> As for the AppArmor related changes, there are 20 mainline commits
> between 3.11 and 3.12:
...
> 01e2b670aa89 apparmor: convert profile lists to RCU based locking

It turned out this commit (and another one) introduced the bug I 
found.

Currently I'm testing a fixed kernel on 42.2 beta, and it seems to fix 
the problem (at least my reproducer [1] no longer triggers the issue).

You can find the fixed kernel package for 42.2 at 
https://build.opensuse.org/package/show/home:jrjohansen:branches:Kernel:openSUSE-42.2/kernel-source

The relevant patch is 
    
patches.apparmor.tar.bz2/0001-apparmor-fix-change_hat-not-finding-hat-after-policy.patch
 
see the link diff at
https://build.opensuse.org/package/rdiff/home:jrjohansen:branches:Kernel:openSUSE-42.2/kernel-source?opackage=kernel-source&oproject=Kernel%3AopenSUSE-42.2&rev=3

John also created a branch for Kernel:stable at
https://build.opensuse.org/package/show/home:jrjohansen:branches:Kernel:stable/kernel-source
with the same patch, but I didn't test it yet.

I wouldn't be too surprised if the patch also works for kernel 3.12 ;-)


BTW: Until fixed kernels are available, the workaround is to restart
Apache after reloading the AppArmor profiles.


Regards,

Christian Boltz

[1] The reproducer I'm using is:
    - reboot (to get a clean starting state, probably superfluous)
    - rcapache2 restart
    - rcapparmor reload
    - access a web page with your browser
    - find change_hat failures for HANDLING_UNTRUSTED_INPUT in
      /var/log/apache2/error_log

-- 
Wer News ├╝ber ein Webinterface liest, filmt auch die Tageszeitung,
um sie auf dem Fernseher anzuschauen.        [Henning Schlottmann]

_______________________________________________
Evergreen mailing list
Evergreen@lists.rosenauer.org
http://lists.rosenauer.org/mailman/listinfo/evergreen

Reply via email to