Bug#1003153: [pkg-apparmor] Bug#1003153: /etc/apparmor.d/usr.sbin.apache2: Apache profile complains when ss -tnlp is run
Control: forwarded -1 https://gitlab.com/apparmor/apparmor/-/merge_requests/852 Craig Small (2022-02-17): > Not sure if Debian BTS handles forwards to MR, I've only ever done it for > issues. I don't know if the code that will automatically sync the upstream state here works, but apart of that the "forwarded" field can be whatever text we want and I find it useful to fill it with MRs too ⇒ done. Thanks!
Bug#1003153: [pkg-apparmor] Bug#1003153: /etc/apparmor.d/usr.sbin.apache2: Apache profile complains when ss -tnlp is run
On Sat, 12 Feb 2022 at 20:35, intrigeri wrote: > Would one of you be interested in proposing this upstream? > Done https://gitlab.com/apparmor/apparmor/-/merge_requests/852 Not sure if Debian BTS handles forwards to MR, I've only ever done it for issues. - Craig
Bug#1003153: [pkg-apparmor] Bug#1003153: /etc/apparmor.d/usr.sbin.apache2: Apache profile complains when ss -tnlp is run
On Sat, 12 Feb 2022 at 20:35, intrigeri wrote: > So it seems to me a good solution may be to allow being ptraced > in the "apache2-common" abstraction. > That makes sense. > Would one of you be interested in proposing this upstream? > > I'm not using Apache2 myself so I'm not a good person to work on this. > Sure, any idea how I do this? - Craig
Bug#1003153: [pkg-apparmor] Bug#1003153: /etc/apparmor.d/usr.sbin.apache2: Apache profile complains when ss -tnlp is run
Control: tag -1 + upstream Hi, Craig Small (2022-01-05): > On 2022-01-05 at 12:24, debian-b...@cboltz.de wrote: >> (Nevertheless, the apache hats should allow to be ptraced. OK! >> I'll leave that to the maintainer of the Apache profile in Debian - >> and would love to see the fix upstreamed.) I don't see anything Debian-specific here. Did I miss anything? > I suppose all of the hats should have some line for this. Makes sense! In usr.sbin.apache2 I see 2 things: - A few default hats that all include the "apache2-common" abstraction - doc that says every custom hat must include the "apache2-common" abstraction So it seems to me a good solution may be to allow being ptraced in the "apache2-common" abstraction. Would one of you be interested in proposing this upstream? I'm not using Apache2 myself so I'm not a good person to work on this. Cheers!
Bug#1003153: [pkg-apparmor] Bug#1003153: /etc/apparmor.d/usr.sbin.apache2: Apache profile complains when ss -tnlp is run
On 2022-01-05 at 12:24, debian-b...@cboltz.de wrote: > so all profiles that include abstractions/base can be ptraced. > > However, what you see happens in the HANDLING_UNTRUSTED_INPUT hat (this > hat is used when Apache processes are idle) - and Apache hats typically > don't include abstractions/base. Ah ha, that's what doing it. Thanks for the explanation. > (Nevertheless, the apache hats should allow to be ptraced. I'll leave > that to the maintainer of the Apache profile in Debian - and would love > to see the fix upstreamed.) I suppose all of the hats should have some line for this. I suspect it is possible to ptrace apache when in the non-idle hat; my webserver is just not very busy. - Craig
Bug#1003153: [pkg-apparmor] Bug#1003153: /etc/apparmor.d/usr.sbin.apache2: Apache profile complains when ss -tnlp is run
Hello, Am Mittwoch, 5. Januar 2022, 03:31:40 CET schrieb Craig Small: > audit: type=1400 audit(1641349042.460:2559): apparmor="DENIED" > operation="ptrace" profile="apache2//HANDLING_UNTRUSTED_INPUT" > pid=2792993 comm="ss" requested_mask="readby" denied_mask="readby" > peer="/bin/ss" > > So ss is doing a ptrace on all the network listeners. The odd thing is > that apache is the only one to complain about this even though other > daemons listed have their own apparmor profiles. That's not really odd ;-) abstractions/base has ptrace (readby), ptrace (tracedby), so all profiles that include abstractions/base can be ptraced. However, what you see happens in the HANDLING_UNTRUSTED_INPUT hat (this hat is used when Apache processes are idle) - and Apache hats typically don't include abstractions/base. (Nevertheless, the apache hats should allow to be ptraced. I'll leave that to the maintainer of the Apache profile in Debian - and would love to see the fix upstreamed.) Regards, Christian Boltz -- okay. when can we have the next power outage, for testing purposes ? [from #opensuse-admin] signature.asc Description: This is a digitally signed message part.
