[apparmor] Apache mod_apparmor problem
John Johansen
john.johansen at canonical.com
Wed Aug 7 18:11:55 UTC 2013
On 08/07/2013 11:01 AM, azurIt wrote:
>> On 08/07/2013 05:29 AM, azurIt wrote:
>>> Hi,
>>>
>>> i'm trying to use mod_apparmor in Apache but every request is creating new profile inside kernel, which looks like this:
>>> /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1001
>>> /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1003
>>> /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1005
>>> /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1007
>>> /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1009
>>>
>>> and so on. There are TONS of such profile after few weeks of running:
>>> 42775 profiles are in complain mode.
>>>
>>> Am I doing something wrong?
>>>
>> your profile is in complain mode and it is not finding the requested
>> hat on its first attempt.
>>
>> Basically complain mode in apparmor is a learning mode instead of
>> rejecting requests that don't have permission it logs but allows
>> them (complains). Domain transitions are special in that when the
>> requested domain doesn't exist it could be because it needs to
>> be created yet, or it could be that the request needs to be
>> merged into the current profile. So apparmor creates a new null-XXX
>> profile that is used to track this request.
>>
>> These request profiles are piling up because there is a bug where
>> null-XXX profiles are not being garbage collected when no longer
>> in use.
>>
>> Change the profile into enforce mode, using the aa-enforce tool
>> on the file your apache profile is in (likely)
>>
>> aa-enforce /etc/apparmor.d/usr.lib.apache2.mpm-itk.appache2
>>
>> or by manually adjusting be either deleting the symlink (if it
>> exists) to the profile file in
>> /etc/apparmor.d/complain
>>
>> or by either manually editing the profile to removing the complain
>> flag, eg.
>>
>> /usr/lib/apache2/mpm-itk/appache2 (complain) {...}
>>
>> would become
>> /usr/lib/apache2/mpm-itk/appache2 {...}
>
>
>
> Cool, thank you for info :)
>
you should be able to manually remove the null- profiles by doing the
following as root
echo -n "/usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1001" > /sys/kernel/security/apparmor/.remove
and repeat for each profile
More information about the AppArmor
mailing list