[apparmor] Fun with mod_apparmor / HANDLING_UNTRUSTED_INPUT
Christian Boltz
apparmor at cboltz.de
Sun Mar 18 14:52:02 UTC 2012
Hello,
Am Sonntag, 18. März 2012 schrieb John Johansen:
> On 03/17/2012 01:36 PM, Christian Boltz wrote:
> > I reported this some time ago with old versions, but now I've seen
> > it on a server with openSUSE 12.1 and AppArmor 2.7.2 again:
> >
> > The HANDLING_UNTRUSTED_INPUT hat randomly accesses files which
> > should only be accessed using the vhost's hat (vhost_something).
> > This happens rarely, IIRC it's the first time on this server (I
> > installed the server only some weeks ago, which means it is still
> > quite bored and doesn't have many vhosts).
> Well I don't know what is going on but I can come up with a few
> different scenarios and we can start hunting this problem down.
>
> Scenario 1:
> For some reason change_hat is failing and we aren't getting any
> logging out. There are two places it could fail, within the kernel or
> in the user space.
> Scenario 2:
> Something is broken in the kernels logging and its reporting the
> wrong profile. Maybe due to cache files. I find this unlikely as
> this behavior was seen before cache files existed but it is worth
> investigation more.
There's another detail that makes this unlikely: If apache would use the
correct hat, there wouldn't be a need to log something because access to
those files would simply be allowed.
But as usual, never exclude a potential issue because it looks unlikely.
> Scenario 3:
> Apache isn't calling mod_apparmor for some reason. To track this
> down we will need some debugging in mod apparmor.
>
> Scenario 4:
> For some reason apache is trying to reuse a file that was opened in
> a vhost but wasn't closed.
I have no overlap between vhosts and the HANDLING_UNTRUSTED_INPUT hat,
so if apache is really reusing the file outside of the vhost, then we
have more than a bug in apparmor... I *hope* this option is unlikely.
> Christian are you will to run some libraries, modules, kernel with
> additional logging so that we can track this down.
This bug annoys me since years, so why do you think you need to ask? The
answer should be crystal-clear ;-)
If you have a patch for 2.7.2 that adds more logging etc., I'll happily
test it.
The only restriction is: This is a productive server, so the debugging
must not break anything. Having a little delay when the bug appears
isn't a problem, but killing apache isn't a good idea ;-)
I'd say the theory that apache leaves the vhost_something hat too early
sounds most interesting for now - on other servers (with older openSUSE
versions) I have seen write access to vhost's access_log and error_log
more than once. At least for access_log I'm sure the log is written
after the page/file has been served completely (the log includes the
number of bytes sent, so it has to be written afterwards).
In the meantime, I have
^HANDLING_UNTRUSTED_INPUT flags=(complain) {
#include <abstractions/nameservice>
/**.htaccess r, # well, I should update this line...
audit /home/www/*/statistics/logs/access_log w, # <---------
audit /home/www/*/statistics/logs/error_log w, # <---------
/proc/*/attr/current w,
/var/log/apache2/access_log w,
/var/log/apache2/error_log w,
/var/log/apache2/error_log-20[01][0-9][01][0-9][0-3][0-9] w,
/var/log/apache2/ssl_request_log w,
}
to allow write access to all access and error logs, but to still get a
log entry if this happens.
Sidenote:
/var/log/apache2/error_log-20[01][0-9][01][0-9][0-3][0-9] w,
is there because I've seen a race between logrotate and reloading apache
more than once...
BTW: If you are interested in the full audit.log and apache profile, I
can send it off-list (it includes customer domains etc.)
Regards,
Christian Boltz
--
[scrolling with synaptics touchpad] I'm sorry, I couldn't realise
this feature automatically because of my sausage fingers :-D
[Tob Sch on https://bugzilla.novell.com/show_bug.cgi?id=168295]
More information about the AppArmor
mailing list