[Touch-packages] [Bug 1322764] Re: apache2 does not work with shipped profiles
** Changed in: apparmor
Status: In Progress = Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1322764
Title:
apache2 does not work with shipped profiles
Status in AppArmor Linux application security framework:
Fix Committed
Status in “apparmor” package in Ubuntu:
Fix Released
Bug description:
Apache2 fails dramatically with apparmor module enabled.
$ apt-get install apache2 libapache2-mod-php5 libapache2-mod-apparmor
#bug?
#Processing triggers for ufw (0.34~rc-0ubuntu2) ...
#WARN: Skipping 'ufw-directoryserver': couldn't process
$ service apache2 stop
$ service apache2 start
# All is well
# By default, apache2 is disabled:
$ aa-status | grep apache | wc -l
0
$ ls /etc/apparmor.d/disable | grep apache2 | wc -l
1
$ grep complain /etc/apparmor.d/usr.sbin.apache2
/usr/sbin/apache2 flags=(complain) {
^DEFAULT_URI flags=(complain) {
^HANDLING_UNTRUSTED_INPUT flags=(complain) {
$ aa-enforce /etc/apparmor.d/usr.sbin.apache2
$ ls /etc/apparmor.d/disable | grep apache2 | wc -l
0
$ grep complain /etc/apparmor.d/usr.sbin.apache2
^DEFAULT_URI flags=(complain) {
^HANDLING_UNTRUSTED_INPUT flags=(complain) {
#bug: complain not removed on hats when aa-enforce runs
$ aa-status
...
31 profiles are in enforce mode.
...
/usr/sbin/apache2
...
2 profiles are in complain mode.
/usr/sbin/apache2//DEFAULT_URI
/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT
6 processes are unconfined but have a profile defined.
/usr/sbin/apache2 (811)
/usr/sbin/apache2 (814)
...
$ service apache2 stop
* Stopping web server apache2
$ ps -ef | grep apache2 | wc -l
8
#bug: stop fails, via seemingly impossible signal blocking
# dmesg shows:
# [17967.520600] type=1400 audit(1399577975.916:104): apparmor=DENIED
operation=signal profile=/usr/sbin/apache2 pid=29013 comm=apache2
requested_mask=send denied_mask=send signal=term peer=unconfined
# How did this happen? The /usr/sbin/apache2 profile has base, which
includes the signal
# rules for allowing an unconfined process send to it.
# Get back to sanity:
$ apparmor_parser -R /etc/apparmor.d/usr.sbin.apache2
$ service apache2 stop
$ vi /etc/apparmor.d/usr.sbin.apache2 #remove complain flags on HATs
$ apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2
$ aa-status
...
33 profiles are in enforce mode.
...
/usr/sbin/apache2
/usr/sbin/apache2//DEFAULT_URI
/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT
...
$ service apache2 start
$ aa-status
...
13 processes are in enforce mode.
...
/usr/sbin/apache2 (1152)
/usr/sbin/apache2 (1153)
...
$ wget http://localhost/
# All is well
$ a2enmod apparmor
$ service apache2 restart
$ aa-status
...
13 processes are in enforce mode.
...
/usr/sbin/apache2 (1162)
/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT (1165)
/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT (1166)
...
$ wget http://localhost/
# All is well
$ service apache2 stop
# Apache2 can't shut down
# logs: [Fri May 09 22:34:42.280997 2014] [core:warn] [pid 1162] AH00045:
child process 1165 still did not exit, sending a SIGTERM
# dmesg: [140073.881409] type=1400 audit(1399700082.276:328):
apparmor=DENIED operation=signal
profile=/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT pid=1162 comm=apache2
requested_mask=receive denied_mask=receive signal=term
peer=/usr/sbin/apache2
#bug: signals from apache to hats fail
$ pkill apache2
pkill: killing pid 1382 failed: Permission denied
pkill: killing pid 1383 failed: Permission denied
...
#bug: signals from unconfined to hats fail
# Fix things up...
$ apparmor_parser -R /etc/apparmor.d/usr.sbin.apache2
$ service apache2 stop
$ pkill apache2
$ vi /etc/apparmor.d/usr.sbin.apache2
# add to ^HANDLING_UNTRUSTED_INPUT (instead of adding all of base):
## Allow unconfined processes to send us signals by default
#signal (receive) peer=unconfined,
## Allow apache to send us signals by default
#signal (receive) peer=/usr/sbin/apache2,
## Allow us to signal ourselves
#signal peer=@{profile_name},
# add to ^DEFAULT_URI (not in base):
## Allow apache to send us signals by default
#signal (receive) peer=/usr/sbin/apache2,
# add to /usr/sbin/apache2:
## Send signals to all hats.
#signal (send) peer=/usr/sbin/apache2//*,
# add to /etc/apparmor.d/abstractions/apache2-common (instead of all of
base):
## Allow unconfined processes to send us signals by default
#signal (receive) peer=unconfined,
## Allow apache to send us signals by default
#signal (receive) peer=/usr/sbin/apache2,
## Allow us to signal ourselves
#signal peer=@{profile_name},
$ apparmor_parser -r
[Touch-packages] [Bug 1322764] Re: apache2 does not work with shipped profiles
Apparmor 2.9.0 has been released; closing.
** Changed in: apparmor
Status: Fix Committed = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1322764
Title:
apache2 does not work with shipped profiles
Status in AppArmor Linux application security framework:
Fix Released
Status in “apparmor” package in Ubuntu:
Fix Released
Bug description:
Apache2 fails dramatically with apparmor module enabled.
$ apt-get install apache2 libapache2-mod-php5 libapache2-mod-apparmor
#bug?
#Processing triggers for ufw (0.34~rc-0ubuntu2) ...
#WARN: Skipping 'ufw-directoryserver': couldn't process
$ service apache2 stop
$ service apache2 start
# All is well
# By default, apache2 is disabled:
$ aa-status | grep apache | wc -l
0
$ ls /etc/apparmor.d/disable | grep apache2 | wc -l
1
$ grep complain /etc/apparmor.d/usr.sbin.apache2
/usr/sbin/apache2 flags=(complain) {
^DEFAULT_URI flags=(complain) {
^HANDLING_UNTRUSTED_INPUT flags=(complain) {
$ aa-enforce /etc/apparmor.d/usr.sbin.apache2
$ ls /etc/apparmor.d/disable | grep apache2 | wc -l
0
$ grep complain /etc/apparmor.d/usr.sbin.apache2
^DEFAULT_URI flags=(complain) {
^HANDLING_UNTRUSTED_INPUT flags=(complain) {
#bug: complain not removed on hats when aa-enforce runs
$ aa-status
...
31 profiles are in enforce mode.
...
/usr/sbin/apache2
...
2 profiles are in complain mode.
/usr/sbin/apache2//DEFAULT_URI
/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT
6 processes are unconfined but have a profile defined.
/usr/sbin/apache2 (811)
/usr/sbin/apache2 (814)
...
$ service apache2 stop
* Stopping web server apache2
$ ps -ef | grep apache2 | wc -l
8
#bug: stop fails, via seemingly impossible signal blocking
# dmesg shows:
# [17967.520600] type=1400 audit(1399577975.916:104): apparmor=DENIED
operation=signal profile=/usr/sbin/apache2 pid=29013 comm=apache2
requested_mask=send denied_mask=send signal=term peer=unconfined
# How did this happen? The /usr/sbin/apache2 profile has base, which
includes the signal
# rules for allowing an unconfined process send to it.
# Get back to sanity:
$ apparmor_parser -R /etc/apparmor.d/usr.sbin.apache2
$ service apache2 stop
$ vi /etc/apparmor.d/usr.sbin.apache2 #remove complain flags on HATs
$ apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2
$ aa-status
...
33 profiles are in enforce mode.
...
/usr/sbin/apache2
/usr/sbin/apache2//DEFAULT_URI
/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT
...
$ service apache2 start
$ aa-status
...
13 processes are in enforce mode.
...
/usr/sbin/apache2 (1152)
/usr/sbin/apache2 (1153)
...
$ wget http://localhost/
# All is well
$ a2enmod apparmor
$ service apache2 restart
$ aa-status
...
13 processes are in enforce mode.
...
/usr/sbin/apache2 (1162)
/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT (1165)
/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT (1166)
...
$ wget http://localhost/
# All is well
$ service apache2 stop
# Apache2 can't shut down
# logs: [Fri May 09 22:34:42.280997 2014] [core:warn] [pid 1162] AH00045:
child process 1165 still did not exit, sending a SIGTERM
# dmesg: [140073.881409] type=1400 audit(1399700082.276:328):
apparmor=DENIED operation=signal
profile=/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT pid=1162 comm=apache2
requested_mask=receive denied_mask=receive signal=term
peer=/usr/sbin/apache2
#bug: signals from apache to hats fail
$ pkill apache2
pkill: killing pid 1382 failed: Permission denied
pkill: killing pid 1383 failed: Permission denied
...
#bug: signals from unconfined to hats fail
# Fix things up...
$ apparmor_parser -R /etc/apparmor.d/usr.sbin.apache2
$ service apache2 stop
$ pkill apache2
$ vi /etc/apparmor.d/usr.sbin.apache2
# add to ^HANDLING_UNTRUSTED_INPUT (instead of adding all of base):
## Allow unconfined processes to send us signals by default
#signal (receive) peer=unconfined,
## Allow apache to send us signals by default
#signal (receive) peer=/usr/sbin/apache2,
## Allow us to signal ourselves
#signal peer=@{profile_name},
# add to ^DEFAULT_URI (not in base):
## Allow apache to send us signals by default
#signal (receive) peer=/usr/sbin/apache2,
# add to /usr/sbin/apache2:
## Send signals to all hats.
#signal (send) peer=/usr/sbin/apache2//*,
# add to /etc/apparmor.d/abstractions/apache2-common (instead of all of
base):
## Allow unconfined processes to send us signals by default
#signal (receive) peer=unconfined,
## Allow apache to send us signals by default
#signal (receive) peer=/usr/sbin/apache2,
## Allow us to signal ourselves
#signal
[Touch-packages] [Bug 1322764] Re: apache2 does not work with shipped profiles
** Tags added: aa-policy
** Changed in: apparmor (Ubuntu)
Status: Triaged = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1322764
Title:
apache2 does not work with shipped profiles
Status in AppArmor Linux application security framework:
In Progress
Status in “apparmor” package in Ubuntu:
Fix Released
Bug description:
Apache2 fails dramatically with apparmor module enabled.
$ apt-get install apache2 libapache2-mod-php5 libapache2-mod-apparmor
#bug?
#Processing triggers for ufw (0.34~rc-0ubuntu2) ...
#WARN: Skipping 'ufw-directoryserver': couldn't process
$ service apache2 stop
$ service apache2 start
# All is well
# By default, apache2 is disabled:
$ aa-status | grep apache | wc -l
0
$ ls /etc/apparmor.d/disable | grep apache2 | wc -l
1
$ grep complain /etc/apparmor.d/usr.sbin.apache2
/usr/sbin/apache2 flags=(complain) {
^DEFAULT_URI flags=(complain) {
^HANDLING_UNTRUSTED_INPUT flags=(complain) {
$ aa-enforce /etc/apparmor.d/usr.sbin.apache2
$ ls /etc/apparmor.d/disable | grep apache2 | wc -l
0
$ grep complain /etc/apparmor.d/usr.sbin.apache2
^DEFAULT_URI flags=(complain) {
^HANDLING_UNTRUSTED_INPUT flags=(complain) {
#bug: complain not removed on hats when aa-enforce runs
$ aa-status
...
31 profiles are in enforce mode.
...
/usr/sbin/apache2
...
2 profiles are in complain mode.
/usr/sbin/apache2//DEFAULT_URI
/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT
6 processes are unconfined but have a profile defined.
/usr/sbin/apache2 (811)
/usr/sbin/apache2 (814)
...
$ service apache2 stop
* Stopping web server apache2
$ ps -ef | grep apache2 | wc -l
8
#bug: stop fails, via seemingly impossible signal blocking
# dmesg shows:
# [17967.520600] type=1400 audit(1399577975.916:104): apparmor=DENIED
operation=signal profile=/usr/sbin/apache2 pid=29013 comm=apache2
requested_mask=send denied_mask=send signal=term peer=unconfined
# How did this happen? The /usr/sbin/apache2 profile has base, which
includes the signal
# rules for allowing an unconfined process send to it.
# Get back to sanity:
$ apparmor_parser -R /etc/apparmor.d/usr.sbin.apache2
$ service apache2 stop
$ vi /etc/apparmor.d/usr.sbin.apache2 #remove complain flags on HATs
$ apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2
$ aa-status
...
33 profiles are in enforce mode.
...
/usr/sbin/apache2
/usr/sbin/apache2//DEFAULT_URI
/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT
...
$ service apache2 start
$ aa-status
...
13 processes are in enforce mode.
...
/usr/sbin/apache2 (1152)
/usr/sbin/apache2 (1153)
...
$ wget http://localhost/
# All is well
$ a2enmod apparmor
$ service apache2 restart
$ aa-status
...
13 processes are in enforce mode.
...
/usr/sbin/apache2 (1162)
/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT (1165)
/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT (1166)
...
$ wget http://localhost/
# All is well
$ service apache2 stop
# Apache2 can't shut down
# logs: [Fri May 09 22:34:42.280997 2014] [core:warn] [pid 1162] AH00045:
child process 1165 still did not exit, sending a SIGTERM
# dmesg: [140073.881409] type=1400 audit(1399700082.276:328):
apparmor=DENIED operation=signal
profile=/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT pid=1162 comm=apache2
requested_mask=receive denied_mask=receive signal=term
peer=/usr/sbin/apache2
#bug: signals from apache to hats fail
$ pkill apache2
pkill: killing pid 1382 failed: Permission denied
pkill: killing pid 1383 failed: Permission denied
...
#bug: signals from unconfined to hats fail
# Fix things up...
$ apparmor_parser -R /etc/apparmor.d/usr.sbin.apache2
$ service apache2 stop
$ pkill apache2
$ vi /etc/apparmor.d/usr.sbin.apache2
# add to ^HANDLING_UNTRUSTED_INPUT (instead of adding all of base):
## Allow unconfined processes to send us signals by default
#signal (receive) peer=unconfined,
## Allow apache to send us signals by default
#signal (receive) peer=/usr/sbin/apache2,
## Allow us to signal ourselves
#signal peer=@{profile_name},
# add to ^DEFAULT_URI (not in base):
## Allow apache to send us signals by default
#signal (receive) peer=/usr/sbin/apache2,
# add to /usr/sbin/apache2:
## Send signals to all hats.
#signal (send) peer=/usr/sbin/apache2//*,
# add to /etc/apparmor.d/abstractions/apache2-common (instead of all of
base):
## Allow unconfined processes to send us signals by default
#signal (receive) peer=unconfined,
## Allow apache to send us signals by default
#signal (receive) peer=/usr/sbin/apache2,
## Allow us to signal ourselves
#signal peer=@{profile_name},
$
