You have been subscribed to a public bug by Seyeong Kim (xtrusia):

[Impact]

If PID is larger than 6 digits.

apparmor denies process.

this fix is committed, but not released. so all supporting version are
affected.

[Test Case]

1. making pid over 6 digits
- i used touch command to do it
2. snap install canonical-livepatch ( just picked this pkg )

you can see denied msg as original description

[Regression]
this fix changes regex only, i don't think there is severe regression. also if 
there is regression, we can revert manually temporarily. 
denied services need to be restarted after fixing this.

[Others]

revision : http://bazaar.launchpad.net/~apparmor-
dev/apparmor/master/revision/3722

[Original Description]

If your kernel.pid_max sysctl is set higher than the default, say at 7
digits, the @{pid} variable no longer matches all pids, causing some
breakage in any profile using it.

@{pid} is defined in /etc/apparmor.d/tunables:
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}

It only covers up to 6 digits.

This Ubuntu 17.04 system has:
kernel.pid_max = 4194303

And is showing
type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" 
profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" 
name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" 
requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111

Which should be matched by
@{PROC}/sys/vm/overcommit_memory r,
in /etc/apparmor.d/abstractions/libvirt-qemu

I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04
(2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)

I am aware this is a non-default configuration, but I think this should
work.

** Affects: apparmor
     Importance: Undecided
         Status: Fix Committed

** Affects: apparmor/2.11
     Importance: Undecided
         Status: Fix Committed

** Affects: apparmor (Ubuntu)
     Importance: Undecided
         Status: Confirmed


** Tags: aa-policy sts-sru-needed
-- 
@{pid} variable broken on systems with pid_max more than 6 digits
https://bugs.launchpad.net/bugs/1717714
You received this bug notification because you are a member of STS Sponsors, 
which is subscribed to the bug report.

-- 
Mailing list: https://launchpad.net/~sts-sponsors
Post to     : sts-sponsors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~sts-sponsors
More help   : https://help.launchpad.net/ListHelp

Reply via email to