[apparmor] apparmor="KILLED" messages

Walter Hop security at spam.lifeforms.nl
Fri Jan 2 22:26:16 UTC 2015


Hi all,

I'm new to AppArmor. So far I'm loving it, and one of my new year’s resolutions is to confine all the things!

I am needing some reassurance on one weird log entry I’m seeing with Apache. AppArmor and mod_apparmor work great with it, but I noticed that sometimes I get an apparmor="KILLED" log entry such as the following:

Jan  2 20:45:30 ubuntutest kernel: [60168.840422] type=1400 audit(1420227930.887:5141): apparmor="KILLED" operation="change_hat" profile="/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT" pid=32342 comm="apache2" target="/usr/sbin/apache2"

It looks sorta scary, but from my tests, AppArmor is functioning normally. I reproduced the message by overloading Apache with a stress test, and then afterwards I see it happening at regular intervals as Apache throttles down and kills the worker processes that it no longer needs. (There are no DENIED messages.)

So, it seems the apparmor="KILLED" message might be benign in this case, but before proceeding with putting AppArmor into production, I’d like to know:  Can I safely ignore these messages, or do they warrant debugging?

Configuration: Apache 2.4.10 in chroot, mod_apparmor compiled from 2.9.0 source, Ubuntu 12.04 LTS. 

Thanks for any input!

WH

-- 
Walter Hop | PGP key: https://lifeforms.nl/pgp

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150102/17f603a3/attachment.html>


More information about the AppArmor mailing list