AppArmor

reloading profiles doesn't load all hats

Bug #1551950 reported by Christian Boltz
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Undecided
Unassigned
AppArmor 2.11
2.10
Fix Released
Undecided
Unassigned
AppArmor 2.10.1

Bug Description

Reloading the profiles with "rcapparmor reload" on openSUSE doesn't reload the hats of my apache profile - afterwards, only the main profile is loaded.

I've seen similar behaviour with apparmor_parser -r /etc/apparmor.d/usr.sbin.httpd2-prefork - but can't reproduce that at the moment. However, once rcapparmor reload broke it (only main profile loaded), apparmor_parser -r does _not_ load the hats in my profile.

Workaround: use apparmor_parser -r --skip-cache /etc/apparmor.d/usr.sbin.httpd2-prefork - not using the cache seems to ensure that all hats get loaded.

Reproducer for those who can't or don't want to use openSUSE's initscript:

# make sure the full profile is loaded (original profile from 2.10 tarball)
# also make sure the cache is up to date
apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2
apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2
apparmor_parser -r --skip-cache /etc/apparmor.d/usr.sbin.apache2

# make sure everything is loaded
grep apache /sys/kernel/security/apparmor/profiles
/usr/sbin/apache2 (enforce)
/usr/sbin/apache2//phpsysinfo (enforce)
/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT (enforce)
/usr/sbin/apache2//DEFAULT_URI (enforce)
/usr/lib/apache2/mpm-prefork/apache2 (enforce)

# unload the DEFAULT_URI and phpsysinfo hats (but keep HANDLING_UNTRUSTED_INPUT loaded
echo '/usr/sbin/apache2//DEFAULT_URI {}' | apparmor_parser -R
echo '/usr/sbin/apache2//phpsysinfo {}' | apparmor_parser -R

# check the satus (with two hats removed)
grep apache /sys/kernel/security/apparmor/profiles
/usr/sbin/apache2 (enforce)
/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT (enforce)
/usr/lib/apache2/mpm-prefork/apache2 (enforce)

# (attemp to) reload the profile...
apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2

# ... and check for the loaded hats
grep apache /sys/kernel/security/apparmor/profiles
/usr/sbin/apache2 (enforce)
/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT (enforce)
/usr/lib/apache2/mpm-prefork/apache2 (enforce)

# reload with --skip-cache...
apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2 --skip-cache

# ... and welcome back all hats ;-)
grep apache /sys/kernel/security/apparmor/profiles
/usr/sbin/apache2 (enforce)
/usr/sbin/apache2//phpsysinfo (enforce)
/usr/sbin/apache2//DEFAULT_URI (enforce)
/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT (enforce)
/usr/lib/apache2/mpm-prefork/apache2 (enforce)

This is a regression in 2.10 - the 2.9.2 parser doesn't show this behaviour.

Revision history for this message
Christian Boltz (cboltz) wrote :

Simplified testcase:

/etc/apparmor.d/a

profile a {
    ^b {}
    ^c {}
}

apparmor_parser -r /etc/apparmor.d/a # load the profile
grep ^a /sys/kernel/security/apparmor/profiles # lists profile and both hats
echo 'profile a//b {}' | apparmor_parser -R # unload a//b (aka ^b)
apparmor_parser -r /etc/apparmor.d/a # reload from cache
grep ^a /sys/kernel/security/apparmor/profiles # will _not_ list a//b

Revision history for this message
Seth Arnold (seth-arnold) wrote :

The simplified reproducer fails on Ubuntu 14.04 LTS with apparmor package 2.8.95~2430-0ubuntu5.3

Revision history for this message
Christian Boltz (cboltz) wrote :

Some more testing shows this isn't really a regression - I can reproduce it with older parser versions (including latest 2.8.x from bzr), always using the "profile a" from the previous comment.

However, with 2.10 I first noticed this bug in the "real world", so maybe something made it more likely to happen.
I have several servers that still have apparmor_parser 2.8.4, and they never showed this bug (they all have an apache profile with quite some hats, and get the profiles updated/reloaded quite often)

Revision history for this message
Christian Boltz (cboltz) wrote :

This turned out to be two bugs in one:
a) a bug in the parser - -N printed child profiles as "a://b" instead of "a//b" - fixed in trunk r3440 (for 2.11) and 2.10 branch r3325 (for 2.10.1)
b) a kernel bug (test patches are available)

Changed in apparmor:
milestone: none → 2.11
John Johansen (jjohansen)
Changed in apparmor:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.