[apparmor] Apparmor crash that takes out the system

Mark Wadham ubuntu at rkw.io
Thu Jul 28 10:38:04 UTC 2016 

Hi,

Started with a very basic openvpn profile, was intending to tweak it in 
complain mode:

----
#include <tunables/global>

/usr/sbin/openvpn flags=(complain, attach_disconnected) {
   #include <abstractions/authentication>
   #include <abstractions/base>
   #include <abstractions/nameservice>

   capability net_bind_service,

   /run/openvpn/ipredator.status rw,
   /etc/openvpn/ r,
   /etc/openvpn/** r,
   /run/openvpn/* rw,
}
----

But as soon as it's enabled in complain mode and I restart openvpn, this 
happens:

[ 2577.495476] ------------[ cut here ]------------
[ 2577.495514] WARNING: CPU: 0 PID: 17217 at 
/build/linux-dcxD3m/linux-4.4.0/security/apparmor/label.c:142 
profile_cmp+0xed/0x180()
[ 2577.495517] AppArmor WARN profile_cmp: ((!b)):
[ 2577.495521] Modules linked in:
[ 2577.495530]  xfrm_user ah6 ah4 esp6 esp4 xfrm4_mode_beet xfrm4_tunnel 
xfrm4_mode_tunnel xfrm4_mode_transport xfrm6_mode_transport 
xfrm6_mode_ro xfrm6_mode_beet xfrm6_mode_tunnel ipcomp ipcomp6 
xfrm6_tunnel tunnel6 xfrm_ipcomp af_key cast6_avx_x86_64 cast6_generic 
cts gcm ccm sha256_ssse3 sha512_ssse3 tunnel4 ppdev ipt_REJECT 
nf_reject_ipv4 xt_conntrack iptable_filter xt_tcpudp iptable_mangle 
xt_nat ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat 
nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack 
ip_tables crct10dif_pclmul crc32_pclmul aesni_intel aes_x86_64 
input_leds joydev serio_raw virtio_rng deflate ctr parport_pc 
8250_fintek twofish_generic mac_hid twofish_avx_x86_64 i2c_piix4 
twofish_x86_64_3way twofish_x86_64 twofish_common camellia_generic 
camellia_aesni_avx2 camellia_aesni_avx_x86_64
[ 2577.495753]  camellia_x86_64 serpent_avx2 serpent_avx_x86_64 
serpent_sse2_x86_64 xts serpent_generic lrw gf128mul glue_helper 
blowfish_generic blowfish_x86_64 blowfish_common cast5_avx_x86_64 
cast5_generic cast_common ablk_helper cryptd des_generic cmac xcbc 
rmd160 xfrm_algo xt_TARPIT(OE) x_tables lp parport autofs4 hid_generic 
usbhid hid psmouse cirrus ttm drm_kms_helper syscopyarea sysfillrect 
sysimgblt fb_sys_fops floppy drm pata_acpi [last unloaded: tunnel6]
[ 2577.495903] CPU: 0 PID: 17217 Comm: apparmor_parser Tainted: G        
    OE   4.4.0-31-generic #50-Ubuntu
[ 2577.495906] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), 
BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[ 2577.495911]  0000000000000086 000000002a3aab03 ffff88007963fc00 
ffffffff813f1143
[ 2577.495914]  ffff88007963fc48 ffffffff81cf0788 ffff88007963fc38 
ffffffff81081102
[ 2577.495917]  ffff880034d83800 0000000000000000 000000000000000e 
0000000000000000
[ 2577.495919] Call Trace:
[ 2577.495952]  [<ffffffff813f1143>] dump_stack+0x63/0x90
[ 2577.495971]  [<ffffffff81081102>] warn_slowpath_common+0x82/0xc0
[ 2577.495993]  [<ffffffff8108119c>] warn_slowpath_fmt+0x5c/0x80
[ 2577.495998]  [<ffffffff813ffbd0>] ? u32_swap+0x10/0x10
[ 2577.496001]  [<ffffffff813906bd>] profile_cmp+0xed/0x180
[ 2577.496006]  [<ffffffff813917d3>] aa_vec_unique+0x163/0x240
[ 2577.496010]  [<ffffffff81395a47>] 
__aa_labelset_update_subtree+0x687/0x820
[ 2577.496016]  [<ffffffff8138890b>] aa_replace_profiles+0x59b/0xb70
[ 2577.496029]  [<ffffffff811ecf1e>] ? __kmalloc+0x22e/0x250
[ 2577.496033]  [<ffffffff8137d62f>] policy_update+0x9f/0x1f0
[ 2577.496035]  [<ffffffff8137d793>] profile_replace+0x13/0x20
[ 2577.496044]  [<ffffffff8120c9a8>] __vfs_write+0x18/0x40
[ 2577.496047]  [<ffffffff8120d339>] vfs_write+0xa9/0x1a0
[ 2577.496050]  [<ffffffff8120c2cf>] ? do_sys_open+0x1bf/0x2a0
[ 2577.496053]  [<ffffffff8120dff5>] SyS_write+0x55/0xc0
[ 2577.496070]  [<ffffffff8182db32>] entry_SYSCALL_64_fastpath+0x16/0x71
[ 2577.496073] ---[ end trace 2dab4af1b3dc6ff8 ]---
[ 2577.496122] BUG: unable to handle kernel NULL pointer dereference at 
0000000000000038
[ 2577.496328] IP: [<ffffffff813905ff>] profile_cmp+0x2f/0x180
[ 2577.496490] PGD 78962067 PUD 30a36067 PMD 0
[ 2577.496639] Oops: 0000 [#1] SMP
[ 2577.496785] Modules linked in: xfrm_user ah6 ah4 esp6 esp4 
xfrm4_mode_beet xfrm4_tunnel xfrm4_mode_tunnel xfrm4_mode_transport 
xfrm6_mode_transport xfrm6_mode_ro xfrm6_mode_beet xfrm6_mode_tunnel 
ipcomp ipcomp6 xfrm6_tunnel tunnel6 xfrm_ipcomp af_key cast6_avx_x86_64 
cast6_generic cts gcm ccm sha256_ssse3 sha512_ssse3 tunnel4 ppdev 
ipt_REJECT nf_reject_ipv4 xt_conntrack iptable_filter xt_tcpudp 
iptable_mangle xt_nat ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat 
nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack 
ip_tables crct10dif_pclmul crc32_pclmul aesni_intel aes_x86_64 
input_leds joydev serio_raw virtio_rng deflate ctr parport_pc 
8250_fintek twofish_generic mac_hid twofish_avx_x86_64 i2c_piix4 
twofish_x86_64_3way twofish_x86_64 twofish_common camellia_generic 
camellia_aesni_avx2
[ 2577.498244]  camellia_aesni_avx_x86_64 camellia_x86_64 serpent_avx2 
serpent_avx_x86_64 serpent_sse2_x86_64 xts serpent_generic lrw gf128mul 
glue_helper blowfish_generic blowfish_x86_64 blowfish_common 
cast5_avx_x86_64 cast5_generic cast_common ablk_helper cryptd 
des_generic cmac xcbc rmd160 xfrm_algo xt_TARPIT(OE) x_tables lp parport 
autofs4 hid_generic usbhid hid psmouse cirrus ttm drm_kms_helper 
syscopyarea sysfillrect sysimgblt fb_sys_fops floppy drm pata_acpi [last 
unloaded: tunnel6]
[ 2577.499327] CPU: 0 PID: 17217 Comm: apparmor_parser Tainted: G        
W  OE   4.4.0-31-generic #50-Ubuntu
[ 2577.499530] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), 
BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[ 2577.499746] task: ffff880038ecd280 ti: ffff88007963c000 task.ti: 
ffff88007963c000
[ 2577.499927] RIP: 0010:[<ffffffff813905ff>]  [<ffffffff813905ff>] 
profile_cmp+0x2f/0x180
[ 2577.500139] RSP: 0000:ffff88007963fcb0  EFLAGS: 00010086
[ 2577.500299] RAX: 0000000000000000 RBX: ffff880034d83800 RCX: 
0000000000000006
[ 2577.500473] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 
0000000000000009
[ 2577.500641] RBP: ffff88007963fcc0 R08: 000000000000000a R09: 
00000000000002b9
[ 2577.500821] R10: ffff8800351cc250 R11: 00000000000002b9 R12: 
0000000000000000
[ 2577.501009] R13: 000000000000000e R14: 0000000000000000 R15: 
ffff880019bbb250
[ 2577.501188] FS:  00007f27f36a2740(0000) GS:ffff88007fc00000(0000) 
knlGS:0000000000000000
[ 2577.501380] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2577.501545] CR2: 0000000000000038 CR3: 0000000035bb8000 CR4: 
00000000001406f0
[ 2577.501719] Stack:
[ 2577.501836]  000000000000000f ffff880019bbb2c8 ffff88007963fd08 
ffffffff813917d3
[ 2577.502019]  0000000119a0fce0 ffff88000000000f ffff880019bbb250 
ffff880034d83b60
[ 2577.502212]  ffff8800351cc208 ffff880019bbb200 ffff8800351cc200 
ffff88007963fd98
[ 2577.502381] Call Trace:
[ 2577.502584]  [<ffffffff813917d3>] aa_vec_unique+0x163/0x240
[ 2577.502732]  [<ffffffff81395a47>] 
__aa_labelset_update_subtree+0x687/0x820
[ 2577.502902]  [<ffffffff8138890b>] aa_replace_profiles+0x59b/0xb70
[ 2577.503079]  [<ffffffff811ecf1e>] ? __kmalloc+0x22e/0x250
[ 2577.503236]  [<ffffffff8137d62f>] policy_update+0x9f/0x1f0
[ 2577.503385]  [<ffffffff8137d793>] profile_replace+0x13/0x20
[ 2577.503540]  [<ffffffff8120c9a8>] __vfs_write+0x18/0x40
[ 2577.503695]  [<ffffffff8120d339>] vfs_write+0xa9/0x1a0
[ 2577.503841]  [<ffffffff8120c2cf>] ? do_sys_open+0x1bf/0x2a0
[ 2577.503995]  [<ffffffff8120dff5>] SyS_write+0x55/0xc0
[ 2577.504147]  [<ffffffff8182db32>] entry_SYSCALL_64_fastpath+0x16/0x71
[ 2577.504313] Code: 00 55 48 85 ff 48 89 e5 41 54 53 49 89 f4 48 89 fb 
0f 84 8b 00 00 00 4d 85 e4 0f 84 aa 00 00 00 48 83 7b 38 00 0f 84 c9 00 
00 00 <49> 83 7c 24 38 00 0f 84 e8 00 00 00 48 83 7b 08 00 0f 84 07 01
[ 2577.507520] RIP  [<ffffffff813905ff>] profile_cmp+0x2f/0x180
[ 2577.509896]  RSP <ffff88007963fcb0>
[ 2577.512239] CR2: 0000000000000038
[ 2577.514565] ---[ end trace 2dab4af1b3dc6ff9 ]---



Similar behaviour was experienced with trying to lock down the pluto 
binary for ipsec.

Mark

More information about the AppArmor mailing list