[apparmor] Fun with mod_apparmor + keepalive + iOS

Christian Boltz apparmor at cboltz.de
Sun Mar 22 23:23:31 UTC 2015 

Hello,

Am Samstag, 21. März 2015 schrieb Walter Hop:
> 1. The Apache 2.4 server must have HTTP keep-alive enabled
> 2. The client user-agent is Safari on iOS (seen 8_1_2, 8_1_3 and 8_2,
> either iPad or iPhone) 3. The client visits a HTML web page with some
> sub resources 4. Some requests to sub resources are now liable to
> cause a file access attempt from HANDLING_UNTRUSTED_INPUT, e.g. one
> or more gif/jpg/png images.

That sounds like the reproducer I never found :-)

> Setting "KeepAlive Off" on the server stops the audit entries
> completely for many hours, so this seems a workaround.
> 
> The symptoms seem to be very similar to a thread by Christian Boltz in
> 2012:
> https://lists.ubuntu.com/archives/apparmor/2012-March/002414.html (in
> that case it's .css files, I wonder if it was ever solved?)

No, this was not solved yet - and it seems to happen for various types 
of _static_ files (css, js, pictures). 
OTOH, I never had a log entry for *.php files.

Another part of the puzzle: Setting "EnableSendfile off" (which I 
currently use) reduces the amount of strange HANDLING_UNTRUSTED_INPUT 
events a lot, but doesn't solve it completely.

> I'd be happy to experiment a bit. I couldn't yet reproduce by talking
> to port 80, however I can now get a reasonably consistent reproduce

Maybe you can sniff the HTTP traffic (using tcpdump or wireshark) to 
find the exact sequence you have to "say" when talking to port 80?

> by reloading a webpage from my iPhone in a private browsing tab.

@Steve: Now that Walter has a reliable way to reproduce this bug, can 
you please help him with debugging?

I'm on vacation next week, and would be happy to see the problem located 
(or even fixed) when I come back on saturday evening. Oh, and I'd be 
even more happy if you review my pending patches! ;-)


Regards,

Christian Boltz
-- 
>Firefox 5 was pushed to 11.4 updates yesterday... Did anyone notice? :)
I saw and installed it, but sadly everything just kept working.
This is really unfair! It denies me my constitutional rights on having a
good rant! :-P [> Marcus Meissner & Stefan Seyfried in opensuse-factory]

More information about the AppArmor mailing list