[apparmor] Fun with mod_apparmor + keepalive + iOS

[Walter Hop]

Hi Christian, thanks for replying :)

> On 23 Mar 2015, at 00:23, Christian Boltz <apparmor at cboltz.de> wrote:
> 
> No, this was not solved yet - and it seems to happen for various types 
> of _static_ files (css, js, pictures). 
> OTOH, I never had a log entry for *.php files.

I tried getting an audit for a .php file and I did get an entry today on another server for /tmp/.ZendSem.xxxxxx when I quickly refreshed a PHP page a few times from an iPhone:

  apparmor="DENIED" operation=“file_lock"
  profile="/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT" name="/tmp/.ZendSem.NyRiVT”
  pid=1944 comm="apache2" requested_mask="k" denied_mask="k" fsuid=33 ouid=0

This is an artifact of the PHP opcache extension, so this suggests to me that also some part of mod_php5 in a vhost does some work from HANDLING_UNTRUSTED_INPUT. Probably, the file type is not pertinent but the request must be made in a certain time window while the client still has an earlier HTTP keepalive connection open.

> Maybe you can sniff the HTTP traffic (using tcpdump or wireshark) to 
> find the exact sequence you have to "say" when talking to port 80?

I saved a packet trace but I haven’t had time to look at it yet. For now I’ve disabled keepalive on all mod_apparmor machines. It could be some days before I have time to look at it more closely, but if it’s helpful to have a script that reproduces it programmatically, I’ll try to make one.

However, refreshing pages on an iPhone for a few seconds gives an easy reproduction on 2 servers for me. (Another server interestingly seems unaffected. The unaffected server is a VM on a slower SAN, so maybe its timings are different?)

-- 
Walter Hop | PGP key: https://lifeforms.nl/pgp

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150324/3cdf716b/attachment.html>