** Description changed:
- after switching locking in apache/PHP/APC from shared-memory based to
- fcntl() we observed that apparmor (running in audit mode) leaks memory
- inside kernel like crazy:
+ Apparmor is leaks memory when unlinked files are locked by confined
+ processes.
- MemTotal: 2062736 kB
- MemFree: 16160 kB
- Buffers: 496 kB
- Cached: 7120 kB
- SwapCached: 3256 kB
- Active: 6064 kB
- Inactive: 4824 kB
- SwapTotal: 979924 kB
- SwapFree: 967772 kB
- Dirty: 104 kB
- Writeback: 0 kB
- AnonPages: 2592 kB
- Mapped: 2036 kB
- Slab: 2011664 kB
- SReclaimable: 2092 kB
- SUnreclaim: 2009572 kB
- PageTables: 1228 kB
- NFS_Unstable: 0 kB
- Bounce: 0 kB
- CommitLimit: 2011292 kB
- Committed_AS: 62204 kB
- VmallocTotal: 34359738367 kB
- VmallocUsed: 16440 kB
- VmallocChunk: 34359721743 kB
- HugePages_Total: 0
- HugePages_Free: 0
- HugePages_Rsvd: 0
- HugePages_Surp: 0
- Hugepagesize: 2048 kB
+ TEST CASE
+
+ Confining the following program:
+
+ #include <stdio.h>
+ #include <unistd.h>
+
+ int main(void)
+ {
+ int i;
+ int fd = open("/tmp/.lockfile", O_RDWR|O_CREAT);
+ unlink("/tmp/.lockfile");
+
+ fork();
+ fork();
+ fork();
+ fork();
+
+ for (i = 0; i < 5000; i++) {
+ struct flock lock;
+ lock.l_type = F_WRLCK;
+ lock.l_start = 0;
+ lock.l_whence = SEEK_END;
+ lock.l_len = 0;
+ fcntl(fd,F_SETLKW, &lock);
+ lock.l_type = F_UNLCK;
+ fcntl(fd, F_SETLKW, &lock);
+ }
+
+ return 0;
+ }
+
+ with an apparmor policy similar to the following (place the policy in
+ /etc/apparmor.d and then do 'sudo /etc/init.d/apparmor restart' to
+ reload policy):
+
+ #include <tunables/global>
+ /PATH/TO/YOUR/COMPILED/BINARY flags=(audit) {
+ #include <abstractions/base>
+ #include <abstractions/mysql>
+ #include <abstractions/nameservice>
+
+ capability kill,
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+
+ # Major libs
+ /lib/ld-*.so mr,
+ /lib/libc-*.so mr,
+ /lib/libpthread-*.so mr,
+ /lib/librt-*.so mr,
+
+ /tmp/* rwk,
+
+ }
+
+ (You'll need to change /PATH/TO/YOUR/COMPILED/BINARY in the above
+ profile to point the location of the compiled program.)
+
+ While running slabtop in another terminal, run the program.
+ Without the fix, slabtop should see an increase use of kernel memory,
typically the kamlloc-256 slab.
+ With the fix in place, there shouldn't be much change in slabtop's reported
output.
+
+ /var/log/messages should get a number of audit events (this confirms
+ that confinement is applied to the binary in question).
--
locks on unlinked files leak memory in apparmor
https://bugs.launchpad.net/bugs/329489
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
