[Touch-packages] [Bug 1322764] Re: apache2 does not work with shipped profiles
** Changed in: apparmor Status: In Progress = Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1322764 Title: apache2 does not work with shipped profiles Status in AppArmor Linux application security framework: Fix Committed Status in “apparmor” package in Ubuntu: Fix Released Bug description: Apache2 fails dramatically with apparmor module enabled. $ apt-get install apache2 libapache2-mod-php5 libapache2-mod-apparmor #bug? #Processing triggers for ufw (0.34~rc-0ubuntu2) ... #WARN: Skipping 'ufw-directoryserver': couldn't process $ service apache2 stop $ service apache2 start # All is well # By default, apache2 is disabled: $ aa-status | grep apache | wc -l 0 $ ls /etc/apparmor.d/disable | grep apache2 | wc -l 1 $ grep complain /etc/apparmor.d/usr.sbin.apache2 /usr/sbin/apache2 flags=(complain) { ^DEFAULT_URI flags=(complain) { ^HANDLING_UNTRUSTED_INPUT flags=(complain) { $ aa-enforce /etc/apparmor.d/usr.sbin.apache2 $ ls /etc/apparmor.d/disable | grep apache2 | wc -l 0 $ grep complain /etc/apparmor.d/usr.sbin.apache2 ^DEFAULT_URI flags=(complain) { ^HANDLING_UNTRUSTED_INPUT flags=(complain) { #bug: complain not removed on hats when aa-enforce runs $ aa-status ... 31 profiles are in enforce mode. ... /usr/sbin/apache2 ... 2 profiles are in complain mode. /usr/sbin/apache2//DEFAULT_URI /usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT 6 processes are unconfined but have a profile defined. /usr/sbin/apache2 (811) /usr/sbin/apache2 (814) ... $ service apache2 stop * Stopping web server apache2 $ ps -ef | grep apache2 | wc -l 8 #bug: stop fails, via seemingly impossible signal blocking # dmesg shows: # [17967.520600] type=1400 audit(1399577975.916:104): apparmor=DENIED operation=signal profile=/usr/sbin/apache2 pid=29013 comm=apache2 requested_mask=send denied_mask=send signal=term peer=unconfined # How did this happen? The /usr/sbin/apache2 profile has base, which includes the signal # rules for allowing an unconfined process send to it. # Get back to sanity: $ apparmor_parser -R /etc/apparmor.d/usr.sbin.apache2 $ service apache2 stop $ vi /etc/apparmor.d/usr.sbin.apache2 #remove complain flags on HATs $ apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2 $ aa-status ... 33 profiles are in enforce mode. ... /usr/sbin/apache2 /usr/sbin/apache2//DEFAULT_URI /usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT ... $ service apache2 start $ aa-status ... 13 processes are in enforce mode. ... /usr/sbin/apache2 (1152) /usr/sbin/apache2 (1153) ... $ wget http://localhost/ # All is well $ a2enmod apparmor $ service apache2 restart $ aa-status ... 13 processes are in enforce mode. ... /usr/sbin/apache2 (1162) /usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT (1165) /usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT (1166) ... $ wget http://localhost/ # All is well $ service apache2 stop # Apache2 can't shut down # logs: [Fri May 09 22:34:42.280997 2014] [core:warn] [pid 1162] AH00045: child process 1165 still did not exit, sending a SIGTERM # dmesg: [140073.881409] type=1400 audit(1399700082.276:328): apparmor=DENIED operation=signal profile=/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT pid=1162 comm=apache2 requested_mask=receive denied_mask=receive signal=term peer=/usr/sbin/apache2 #bug: signals from apache to hats fail $ pkill apache2 pkill: killing pid 1382 failed: Permission denied pkill: killing pid 1383 failed: Permission denied ... #bug: signals from unconfined to hats fail # Fix things up... $ apparmor_parser -R /etc/apparmor.d/usr.sbin.apache2 $ service apache2 stop $ pkill apache2 $ vi /etc/apparmor.d/usr.sbin.apache2 # add to ^HANDLING_UNTRUSTED_INPUT (instead of adding all of base): ## Allow unconfined processes to send us signals by default #signal (receive) peer=unconfined, ## Allow apache to send us signals by default #signal (receive) peer=/usr/sbin/apache2, ## Allow us to signal ourselves #signal peer=@{profile_name}, # add to ^DEFAULT_URI (not in base): ## Allow apache to send us signals by default #signal (receive) peer=/usr/sbin/apache2, # add to /usr/sbin/apache2: ## Send signals to all hats. #signal (send) peer=/usr/sbin/apache2//*, # add to /etc/apparmor.d/abstractions/apache2-common (instead of all of base): ## Allow unconfined processes to send us signals by default #signal (receive) peer=unconfined, ## Allow apache to send us signals by default #signal (receive) peer=/usr/sbin/apache2, ## Allow us to signal ourselves #signal peer=@{profile_name}, $ apparmor_parser -r
[Touch-packages] [Bug 1322764] Re: apache2 does not work with shipped profiles
Apparmor 2.9.0 has been released; closing. ** Changed in: apparmor Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1322764 Title: apache2 does not work with shipped profiles Status in AppArmor Linux application security framework: Fix Released Status in “apparmor” package in Ubuntu: Fix Released Bug description: Apache2 fails dramatically with apparmor module enabled. $ apt-get install apache2 libapache2-mod-php5 libapache2-mod-apparmor #bug? #Processing triggers for ufw (0.34~rc-0ubuntu2) ... #WARN: Skipping 'ufw-directoryserver': couldn't process $ service apache2 stop $ service apache2 start # All is well # By default, apache2 is disabled: $ aa-status | grep apache | wc -l 0 $ ls /etc/apparmor.d/disable | grep apache2 | wc -l 1 $ grep complain /etc/apparmor.d/usr.sbin.apache2 /usr/sbin/apache2 flags=(complain) { ^DEFAULT_URI flags=(complain) { ^HANDLING_UNTRUSTED_INPUT flags=(complain) { $ aa-enforce /etc/apparmor.d/usr.sbin.apache2 $ ls /etc/apparmor.d/disable | grep apache2 | wc -l 0 $ grep complain /etc/apparmor.d/usr.sbin.apache2 ^DEFAULT_URI flags=(complain) { ^HANDLING_UNTRUSTED_INPUT flags=(complain) { #bug: complain not removed on hats when aa-enforce runs $ aa-status ... 31 profiles are in enforce mode. ... /usr/sbin/apache2 ... 2 profiles are in complain mode. /usr/sbin/apache2//DEFAULT_URI /usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT 6 processes are unconfined but have a profile defined. /usr/sbin/apache2 (811) /usr/sbin/apache2 (814) ... $ service apache2 stop * Stopping web server apache2 $ ps -ef | grep apache2 | wc -l 8 #bug: stop fails, via seemingly impossible signal blocking # dmesg shows: # [17967.520600] type=1400 audit(1399577975.916:104): apparmor=DENIED operation=signal profile=/usr/sbin/apache2 pid=29013 comm=apache2 requested_mask=send denied_mask=send signal=term peer=unconfined # How did this happen? The /usr/sbin/apache2 profile has base, which includes the signal # rules for allowing an unconfined process send to it. # Get back to sanity: $ apparmor_parser -R /etc/apparmor.d/usr.sbin.apache2 $ service apache2 stop $ vi /etc/apparmor.d/usr.sbin.apache2 #remove complain flags on HATs $ apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2 $ aa-status ... 33 profiles are in enforce mode. ... /usr/sbin/apache2 /usr/sbin/apache2//DEFAULT_URI /usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT ... $ service apache2 start $ aa-status ... 13 processes are in enforce mode. ... /usr/sbin/apache2 (1152) /usr/sbin/apache2 (1153) ... $ wget http://localhost/ # All is well $ a2enmod apparmor $ service apache2 restart $ aa-status ... 13 processes are in enforce mode. ... /usr/sbin/apache2 (1162) /usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT (1165) /usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT (1166) ... $ wget http://localhost/ # All is well $ service apache2 stop # Apache2 can't shut down # logs: [Fri May 09 22:34:42.280997 2014] [core:warn] [pid 1162] AH00045: child process 1165 still did not exit, sending a SIGTERM # dmesg: [140073.881409] type=1400 audit(1399700082.276:328): apparmor=DENIED operation=signal profile=/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT pid=1162 comm=apache2 requested_mask=receive denied_mask=receive signal=term peer=/usr/sbin/apache2 #bug: signals from apache to hats fail $ pkill apache2 pkill: killing pid 1382 failed: Permission denied pkill: killing pid 1383 failed: Permission denied ... #bug: signals from unconfined to hats fail # Fix things up... $ apparmor_parser -R /etc/apparmor.d/usr.sbin.apache2 $ service apache2 stop $ pkill apache2 $ vi /etc/apparmor.d/usr.sbin.apache2 # add to ^HANDLING_UNTRUSTED_INPUT (instead of adding all of base): ## Allow unconfined processes to send us signals by default #signal (receive) peer=unconfined, ## Allow apache to send us signals by default #signal (receive) peer=/usr/sbin/apache2, ## Allow us to signal ourselves #signal peer=@{profile_name}, # add to ^DEFAULT_URI (not in base): ## Allow apache to send us signals by default #signal (receive) peer=/usr/sbin/apache2, # add to /usr/sbin/apache2: ## Send signals to all hats. #signal (send) peer=/usr/sbin/apache2//*, # add to /etc/apparmor.d/abstractions/apache2-common (instead of all of base): ## Allow unconfined processes to send us signals by default #signal (receive) peer=unconfined, ## Allow apache to send us signals by default #signal (receive) peer=/usr/sbin/apache2, ## Allow us to signal ourselves #signal
[Touch-packages] [Bug 1322764] Re: apache2 does not work with shipped profiles
** Tags added: aa-policy ** Changed in: apparmor (Ubuntu) Status: Triaged = Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1322764 Title: apache2 does not work with shipped profiles Status in AppArmor Linux application security framework: In Progress Status in “apparmor” package in Ubuntu: Fix Released Bug description: Apache2 fails dramatically with apparmor module enabled. $ apt-get install apache2 libapache2-mod-php5 libapache2-mod-apparmor #bug? #Processing triggers for ufw (0.34~rc-0ubuntu2) ... #WARN: Skipping 'ufw-directoryserver': couldn't process $ service apache2 stop $ service apache2 start # All is well # By default, apache2 is disabled: $ aa-status | grep apache | wc -l 0 $ ls /etc/apparmor.d/disable | grep apache2 | wc -l 1 $ grep complain /etc/apparmor.d/usr.sbin.apache2 /usr/sbin/apache2 flags=(complain) { ^DEFAULT_URI flags=(complain) { ^HANDLING_UNTRUSTED_INPUT flags=(complain) { $ aa-enforce /etc/apparmor.d/usr.sbin.apache2 $ ls /etc/apparmor.d/disable | grep apache2 | wc -l 0 $ grep complain /etc/apparmor.d/usr.sbin.apache2 ^DEFAULT_URI flags=(complain) { ^HANDLING_UNTRUSTED_INPUT flags=(complain) { #bug: complain not removed on hats when aa-enforce runs $ aa-status ... 31 profiles are in enforce mode. ... /usr/sbin/apache2 ... 2 profiles are in complain mode. /usr/sbin/apache2//DEFAULT_URI /usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT 6 processes are unconfined but have a profile defined. /usr/sbin/apache2 (811) /usr/sbin/apache2 (814) ... $ service apache2 stop * Stopping web server apache2 $ ps -ef | grep apache2 | wc -l 8 #bug: stop fails, via seemingly impossible signal blocking # dmesg shows: # [17967.520600] type=1400 audit(1399577975.916:104): apparmor=DENIED operation=signal profile=/usr/sbin/apache2 pid=29013 comm=apache2 requested_mask=send denied_mask=send signal=term peer=unconfined # How did this happen? The /usr/sbin/apache2 profile has base, which includes the signal # rules for allowing an unconfined process send to it. # Get back to sanity: $ apparmor_parser -R /etc/apparmor.d/usr.sbin.apache2 $ service apache2 stop $ vi /etc/apparmor.d/usr.sbin.apache2 #remove complain flags on HATs $ apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2 $ aa-status ... 33 profiles are in enforce mode. ... /usr/sbin/apache2 /usr/sbin/apache2//DEFAULT_URI /usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT ... $ service apache2 start $ aa-status ... 13 processes are in enforce mode. ... /usr/sbin/apache2 (1152) /usr/sbin/apache2 (1153) ... $ wget http://localhost/ # All is well $ a2enmod apparmor $ service apache2 restart $ aa-status ... 13 processes are in enforce mode. ... /usr/sbin/apache2 (1162) /usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT (1165) /usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT (1166) ... $ wget http://localhost/ # All is well $ service apache2 stop # Apache2 can't shut down # logs: [Fri May 09 22:34:42.280997 2014] [core:warn] [pid 1162] AH00045: child process 1165 still did not exit, sending a SIGTERM # dmesg: [140073.881409] type=1400 audit(1399700082.276:328): apparmor=DENIED operation=signal profile=/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT pid=1162 comm=apache2 requested_mask=receive denied_mask=receive signal=term peer=/usr/sbin/apache2 #bug: signals from apache to hats fail $ pkill apache2 pkill: killing pid 1382 failed: Permission denied pkill: killing pid 1383 failed: Permission denied ... #bug: signals from unconfined to hats fail # Fix things up... $ apparmor_parser -R /etc/apparmor.d/usr.sbin.apache2 $ service apache2 stop $ pkill apache2 $ vi /etc/apparmor.d/usr.sbin.apache2 # add to ^HANDLING_UNTRUSTED_INPUT (instead of adding all of base): ## Allow unconfined processes to send us signals by default #signal (receive) peer=unconfined, ## Allow apache to send us signals by default #signal (receive) peer=/usr/sbin/apache2, ## Allow us to signal ourselves #signal peer=@{profile_name}, # add to ^DEFAULT_URI (not in base): ## Allow apache to send us signals by default #signal (receive) peer=/usr/sbin/apache2, # add to /usr/sbin/apache2: ## Send signals to all hats. #signal (send) peer=/usr/sbin/apache2//*, # add to /etc/apparmor.d/abstractions/apache2-common (instead of all of base): ## Allow unconfined processes to send us signals by default #signal (receive) peer=unconfined, ## Allow apache to send us signals by default #signal (receive) peer=/usr/sbin/apache2, ## Allow us to signal ourselves #signal peer=@{profile_name}, $