[apparmor] Fun with mod_apparmor + keepalive + iOS
security at spam.lifeforms.nl
Sat Jul 18 16:15:51 UTC 2015
> Hi Walter,
> Anything new with this? I have a similar hat mismatch, but I've never been
> able to reproduce it. Did you manage to get strace output?
I did manage to minimize my case (e.g. use a simple ‘hello world' instead of Wordpress) and still reproduce. I have strace output for a successful run versus a failing run, with the same sequence and timing of of client requests.
The traces are huge and I didn’t find a good tool to present them (like a sideways diff HTML generator), so I forgot about them. But they are here (I replaced some variables like the pid to lower the number of uninteresting diffs):
The Apache install is not completely minimal; there is still some unnecessary ‘noise’ in the traces from ModSecurity. Its delays however make reproduction much easier for me. When I disabled ModSec rules, I could reproduce much less reliably, like 1 in 100 tries, so I never got a good trace in that state.
PS: I also talked to a developer of an (unrelated) Apache module. He was quite skeptical about using the log_transaction hook in the way that we rely on for changing hats back. I didn’t find more appropriate hooks from a quick look in Apache source, but if this hook turns out to be unreliable, maybe we could try going on the Apache modules dev list and see if a more reliable hook can be added which is guaranteed to fire at a useful time. Since the request lifecycle is also undergoing architectural changes with mod_h2 coming, maybe the module will require a bit of work anyway to be future proof… But as I understood it, this shouldn’t be a whole lot.
I’ll be happy to invest more time if I can be useful.
Walter Hop | PGP key: https://lifeforms.nl/pgp
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the AppArmor