Re: [Evergreen] AppArmor change_hat failures with kernel 3.12
Hello, Am Mittwoch, 31. August 2016, 08:36:39 CEST schrieb Michal Kubecek: > On Tue, Aug 30, 2016 at 11:32:38PM +0200, Christian Boltz wrote: > > Michal, do you know if there were AppArmor-related patches added > > between the previous 3.11 Evergreen kernel and the (AFAIK) > > SLE-based 3.12 kernel that could explain this problem? > > In general, Evergreen 13.1 kernel is mostly the same as SLE12-SP1. > There are some differences but those are mostly fixes needed to build > of architectures and drivers/features not built in SLE (none of them > is AppArmor related, IIRC). And, of course, the configs are quite > different but the AppArmor related options seem to be the same. > > As for the AppArmor related changes, there are 20 mainline commits > between 3.11 and 3.12: ... > 01e2b670aa89 apparmor: convert profile lists to RCU based locking It turned out this commit (and another one) introduced the bug I found. Currently I'm testing a fixed kernel on 42.2 beta, and it seems to fix the problem (at least my reproducer [1] no longer triggers the issue). You can find the fixed kernel package for 42.2 at https://build.opensuse.org/package/show/home:jrjohansen:branches:Kernel:openSUSE-42.2/kernel-source The relevant patch is patches.apparmor.tar.bz2/0001-apparmor-fix-change_hat-not-finding-hat-after-policy.patch see the link diff at https://build.opensuse.org/package/rdiff/home:jrjohansen:branches:Kernel:openSUSE-42.2/kernel-source?opackage=kernel-source=Kernel%3AopenSUSE-42.2=3 John also created a branch for Kernel:stable at https://build.opensuse.org/package/show/home:jrjohansen:branches:Kernel:stable/kernel-source with the same patch, but I didn't test it yet. I wouldn't be too surprised if the patch also works for kernel 3.12 ;-) BTW: Until fixed kernels are available, the workaround is to restart Apache after reloading the AppArmor profiles. Regards, Christian Boltz [1] The reproducer I'm using is: - reboot (to get a clean starting state, probably superfluous) - rcapache2 restart - rcapparmor reload - access a web page with your browser - find change_hat failures for HANDLING_UNTRUSTED_INPUT in /var/log/apache2/error_log -- Wer News über ein Webinterface liest, filmt auch die Tageszeitung, um sie auf dem Fernseher anzuschauen.[Henning Schlottmann] ___ Evergreen mailing list Evergreen@lists.rosenauer.org http://lists.rosenauer.org/mailman/listinfo/evergreen
Re: [Evergreen] AppArmor change_hat failures with kernel 3.12
On Tue, Aug 30, 2016 at 11:32:38PM +0200, Christian Boltz wrote:
> Michal, do you know if there were AppArmor-related patches added between
> the previous 3.11 Evergreen kernel and the (AFAIK) SLE-based 3.12 kernel
> that could explain this problem?
In general, Evergreen 13.1 kernel is mostly the same as SLE12-SP1. There
are some differences but those are mostly fixes needed to build of
architectures and drivers/features not built in SLE (none of them is
AppArmor related, IIRC). And, of course, the configs are quite different
but the AppArmor related options seem to be the same.
As for the AppArmor related changes, there are 20 mainline commits
between 3.11 and 3.12:
ed2c7da3a40c apparmor: fix bad lock balance when introspecting policy
5cb3e91ebd04 apparmor: fix memleak of the profile hash
4cd4fc77032d apparmor: fix suspicious RCU usage warning in
policy.c/policy.h
71ac7f6255c5 apparmor: Use shash crypto API interface for profile hashes
5265fc6219dd module/lsm: Have apparmor module parameters work with no
args
f8eb8a1324e8 apparmor: add the ability to report a sha1 hash of loaded
policy
84f1f787421c apparmor: export set of capabilities supported by the
apparmor module
29b3822f1e13 apparmor: add the profile introspection file to interface
556d0be74b19 apparmor: add an optional profile attachment string for
profiles
0d259f043f5f apparmor: add interface files for profiles and namespaces
038165070aa5 apparmor: allow setting any profile into the unconfined
state
8651e1d6572b apparmor: make free_profile available outside of policy.c
742058b0f3a2 apparmor: rework namespace free path
fa2ac468db51 apparmor: update how unconfined is handled
77b071b34045 apparmor: change how profile replacement update is done
01e2b670aa89 apparmor: convert profile lists to RCU based locking
dd51c8485763 apparmor: provide base for multiple profiles to be replaced
at once
9d910a3bc010 apparmor: add a features/policy dir to interface
c611616cd3cb apparmor: enable users to query whether apparmor is enabled
dfe4ac28be73 apparmor: remove minimum size check for vmalloc()
and 3.12.41 backport of mainline commit 39f1f78d53b9 ("nick kvfree()
from apparmor"). Then there and SLE specific patches
patches.apparmor/apparmor-allow-sys_cap_resource-to-be-sufficient-to-prlimit-another-task
patches.apparmor/apparmor-temporary-work-around-for-bug-while-unloadi
patches.fixes/apparmor-fix-open-after-profile-replacement.patch
patches.fixes/apparmor-fix-replacement-not-being-applied.patch
patches.fixes/skip-proc-ns-files.patch
(also one which has already been in 3.11 based 13.1 kernel and has been
refreshed). Unfortunately none of these has usable mainline refernce.
Finally, I found one patch which was in the 3.11 kernel but is missing
in SLE12-SP1 and evergreen-13.1:
patches.apparmor/apparmor-profiles-seq_file
but this seems to be obsoleted by mainline commit 29b3822f1e13.
You can find SLE12-SP1 sources at
http://kernel.suse.com/branches/SLE12-SP1
I'm not mirroring evergreen 13.1 kernel sources to a public location at
the moment but if there is interest, I can push them to github.
Michal Kubecek
___
Evergreen mailing list
Evergreen@lists.rosenauer.org
http://lists.rosenauer.org/mailman/listinfo/evergreen
[Evergreen] AppArmor change_hat failures with kernel 3.12
Hallo, I see lots of AppArmor change_hat failures (reported by the mod_apparmor apache module) which started when Evergreen got the 3.12 kernel. I also see this problem on 42.2, so I'd guess it is a problem with the SLE-based kernels. In the apache error_log, I get tons of this message: [Mon Aug 29 21:35:58.141373 2016] [apparmor:error] [pid 23452] (2) No such file or directory: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' audit.log contains type=AVC msg=audit(1472401978.320:161920): apparmor="ALLOWED" operation="change_hat" parent=2206 profile="/usr/sbin/httpd2-prefork" pid=4364 comm="httpd2-prefork" target="/usr/sbin/httpd2-prefork// HANDLING_UNTRUSTED_INPUT" type=SYSCALL msg=audit(1472401978.320:161920): arch=c03e syscall=1 success=no exit=-2 a0=8c a1=7fc9e2997710 a2=33 a3=fff9 items=0 ppid=2206 pid=4364 auid=4294967295 uid=30 gid=8 euid=30 suid=30 fsuid=30 egid=8 sgid=8 fsgid=8 tty=(none) ses=4294967295 comm="httpd2-prefork" exe="/usr/sbin/httpd2-prefork" key=(null) The HANDLING_UNTRUSTED_INPUT hat is used when an apache process switches back from processing a request to idle (waiting for the next request). I didn't see similar failures for other hats, so it looks like it only affects switching from a vhost_whatever hat (which I configured for the virtual host) back to HANDLING_UNTRUSTED_INPUT. Unfortunately, this also means the process switches into the main profile (instead of a hat), and later gets switched into a null-* profile which floods the audit.log. Michal, do you know if there were AppArmor-related patches added between the previous 3.11 Evergreen kernel and the (AFAIK) SLE-based 3.12 kernel that could explain this problem? Also note that I already found this error message back in 2008 http://marc.info/?l=apparmor-general=119992778825253=2 and, since then, didn't see it for a long time. Luckily, this time apache "only" switches to the main profile instead of going unconfined - but this is still not nice and probably causes serious problems for people who have their apache profile in enforce mode (I have it in complain mode to avoid annoying customers, and still have a good monitoring and inventory list what each virtual host does.) As usual, I can provide more details and/or a bugreport if needed. I'll also discuss this with the other AppArmor developers, but knowing if there are possibly related patches (and ideally their filename) would help a lot ;-) Regards, Christian Boltz -- Kasper Unser im Usenet, geheiligt werde Deine Newsgroup, Dein Posting komme, Deine Reply geschehe. Wie im Usenet, so im RL. Unsern täglichen Newsfeed gib uns heute und vergib uns unsere Logik, wie auch wir ver- geben den Logikern. Denn Dein ist das Usenet und die MID, auf Deja.com. Amen [Peter Schlömer dateka 24.7.1999] ___ Evergreen mailing list Evergreen@lists.rosenauer.org http://lists.rosenauer.org/mailman/listinfo/evergreen
