Hello, Am Mittwoch, 31. August 2016, 08:36:39 CEST schrieb Michal Kubecek: > On Tue, Aug 30, 2016 at 11:32:38PM +0200, Christian Boltz wrote: > > Michal, do you know if there were AppArmor-related patches added > > between the previous 3.11 Evergreen kernel and the (AFAIK) > > SLE-based 3.12 kernel that could explain this problem? > > In general, Evergreen 13.1 kernel is mostly the same as SLE12-SP1. > There are some differences but those are mostly fixes needed to build > of architectures and drivers/features not built in SLE (none of them > is AppArmor related, IIRC). And, of course, the configs are quite > different but the AppArmor related options seem to be the same. > > As for the AppArmor related changes, there are 20 mainline commits > between 3.11 and 3.12: ... > 01e2b670aa89 apparmor: convert profile lists to RCU based locking
It turned out this commit (and another one) introduced the bug I found. Currently I'm testing a fixed kernel on 42.2 beta, and it seems to fix the problem (at least my reproducer [1] no longer triggers the issue). You can find the fixed kernel package for 42.2 at https://build.opensuse.org/package/show/home:jrjohansen:branches:Kernel:openSUSE-42.2/kernel-source The relevant patch is patches.apparmor.tar.bz2/0001-apparmor-fix-change_hat-not-finding-hat-after-policy.patch see the link diff at https://build.opensuse.org/package/rdiff/home:jrjohansen:branches:Kernel:openSUSE-42.2/kernel-source?opackage=kernel-source&oproject=Kernel%3AopenSUSE-42.2&rev=3 John also created a branch for Kernel:stable at https://build.opensuse.org/package/show/home:jrjohansen:branches:Kernel:stable/kernel-source with the same patch, but I didn't test it yet. I wouldn't be too surprised if the patch also works for kernel 3.12 ;-) BTW: Until fixed kernels are available, the workaround is to restart Apache after reloading the AppArmor profiles. Regards, Christian Boltz [1] The reproducer I'm using is: - reboot (to get a clean starting state, probably superfluous) - rcapache2 restart - rcapparmor reload - access a web page with your browser - find change_hat failures for HANDLING_UNTRUSTED_INPUT in /var/log/apache2/error_log -- Wer News über ein Webinterface liest, filmt auch die Tageszeitung, um sie auf dem Fernseher anzuschauen. [Henning Schlottmann] _______________________________________________ Evergreen mailing list Evergreen@lists.rosenauer.org http://lists.rosenauer.org/mailman/listinfo/evergreen