[apparmor] Fun with mod_apparmor + keepalive + iOS

Kees Cook kees at ubuntu.com
Sun Oct 11 03:30:49 UTC 2015


On Sat, Jul 18, 2015 at 06:15:51PM +0200, Walter Hop wrote:
> > Hi Walter,
> > 
> > Anything new with this? I have a similar hat mismatch, but I've never been
> > able to reproduce it. Did you manage to get strace output?
> 
> Hi Kees,
> 
> I did manage to minimize my case (e.g. use a simple ‘hello world' instead of Wordpress) and still reproduce. I have strace output for a successful run versus a failing run, with the same sequence and timing of of client requests.

Thanks for doing this! I haven't been able to do any more testing on my end
because I've hit a kernel bug with AppArmor under mod_apparmor. I hope to
get back to looking at your straces once I have something to test with
again. :)

> The traces are huge and I didn’t find a good tool to present them (like a sideways diff HTML generator), so I forgot about them. But they are here (I replaced some variables like the pid to lower the number of uninteresting diffs):
> http://lf.ms/apparmor/strace-ok.txt <http://lf.ms/apparmor/strace-ok.txt>
> http://lf.ms/apparmor/strace-fail.txt <http://lf.ms/apparmor/strace-fail.txt>

On a quick look, it just seems like the failed strace simply doesn't do the
changehat it needs to. :(

> The Apache install is not completely minimal; there is still some unnecessary ‘noise’ in the traces from ModSecurity. Its delays however make reproduction much easier for me. When I disabled ModSec rules, I could reproduce much less reliably, like 1 in 100 tries, so I never got a good trace in that state.

Interesting!

> PS: I also talked to a developer of an (unrelated) Apache module. He was quite skeptical about using the log_transaction hook in the way that we rely on for changing hats back. I didn’t find more appropriate hooks from a quick look in Apache source, but if this hook turns out to be unreliable, maybe we could try going on the Apache modules dev list and see if a more reliable hook can be added which is guaranteed to fire at a useful time. Since the request lifecycle is also undergoing architectural changes with mod_h2 coming, maybe the module will require a bit of work anyway to be future proof… But as I understood it, this shouldn’t be a whole lot.

Yeah, I haven't looked at the source myself yet. It seems adding a hook
would be a good way forward, though.

> I’ll be happy to invest more time if I can be useful.

Thanks and sorry for the giant delay in my reply! :)

-Kees

-- 
Kees Cook



More information about the AppArmor mailing list