** Description changed:
[Impact]
If PID is larger than 6 digits.
apparmor denies process.
this fix is committed, but not released. so all supporting version are
affected.
[Test Case]
1. making pid over 6 digits
- - i used touch command to do it
- 2. snap install canonical-livepatch ( just picked this pkg )
+ #!/bin/bash
- you can see denied msg as original description
+ for i in {1..1000000}
+ do
+ touch t
+ done
+
+ 2. snap install --dangerous core_16-2.29.4.2_amd64.snap ( snap core
+ 16-2.30 avoids using /proc/PID/cmdline, so need to use older version
+
+ 3. you can see DENIED msgs in syslog
+
+ 4. change /etc/apparmor.d/tunables/kernelvars
+ 5. service apparmor restart
+ 6. service snapd restart
+ 7. DENIED is gone
+
+ This is one way, can't reproduce this issue again even if you change
+ back to original kernelvars, and restart snapd
[Regression]
this fix changes regex only, i don't think there is severe regression. also
if there is regression, we can revert manually temporarily.
denied services need to be restarted after fixing this.
[Others]
* Upstream commit:
https://gitlab.com/apparmor/apparmor/commit/630cb2a981cdc731847e8fdaafc45bcd337fe747
* commit 630cb2a981cdc731847e8fdaafc45bcd337fe747
Author: Vincas Dargis <[email protected]>
Date: Sat Sep 30 15:28:15 2017 +0300
Allow seven digit pid
* Affecting releases : TXZAB
--------------------------------------------------------------------------
$ git describe --contains 630cb2a9
v2.11.95~5^2
$ rmadison apparmor
apparmor | 2.8.95~2430-0ubuntu5 | trusty
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-security
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-updates
apparmor | 2.10.95-0ubuntu2 | xenial
apparmor | 2.10.95-0ubuntu2.6 | xenial-security
apparmor | 2.10.95-0ubuntu2.7 | xenial-updates
apparmor | 2.11.0-2ubuntu4 | zesty
apparmor | 2.11.0-2ubuntu17 | artful
apparmor | 2.11.0-2ubuntu18 | bionic
$ rmadison -u debian apparmor
apparmor | 2.11.1-4 | unstable
--------------------------------------------------------------------------
* Revision :
http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3722
[Original Description]
If your kernel.pid_max sysctl is set higher than the default, say at 7
digits, the @{pid} variable no longer matches all pids, causing some
breakage in any profile using it.
@{pid} is defined in /etc/apparmor.d/tunables:
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
It only covers up to 6 digits.
This Ubuntu 17.04 system has:
kernel.pid_max = 4194303
And is showing
type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open"
profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3"
name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86"
requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
Which should be matched by
@{PROC}/sys/vm/overcommit_memory r,
in /etc/apparmor.d/abstractions/libvirt-qemu
I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04
(2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)
I am aware this is a non-default configuration, but I think this should
work.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1717714
Title:
@{pid} variable broken on systems with pid_max more than 6 digits
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1717714/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
