[apparmor] Apparmor crash that takes out the system

Thu Jul 28 16:31:28 UTC 2016

On 07/28/2016 03:38 AM, Mark Wadham wrote:
> Hi,
> 
> Started with a very basic openvpn profile, was intending to tweak it in complain mode:

Oh that is not nice.

Is there anything special about this system? Any extra info you can add to help me trace this down?

> 
> ----
> #include <tunables/global>
> 
> /usr/sbin/openvpn flags=(complain, attach_disconnected) {
>   #include <abstractions/authentication>
>   #include <abstractions/base>
>   #include <abstractions/nameservice>
> 
>   capability net_bind_service,
> 
>   /run/openvpn/ipredator.status rw,
>   /etc/openvpn/ r,
>   /etc/openvpn/** r,
>   /run/openvpn/* rw,
> }
> ----
> 
> But as soon as it's enabled in complain mode and I restart openvpn, this happens:
> 
> [ 2577.495476] ------------[ cut here ]------------
> [ 2577.495514] WARNING: CPU: 0 PID: 17217 at /build/linux-dcxD3m/linux-4.4.0/security/apparmor/label.c:142 profile_cmp+0xed/0x180()
> [ 2577.495517] AppArmor WARN profile_cmp: ((!b)):
> [ 2577.495521] Modules linked in:
> [ 2577.495530]  xfrm_user ah6 ah4 esp6 esp4 xfrm4_mode_beet xfrm4_tunnel xfrm4_mode_tunnel xfrm4_mode_transport xfrm6_mode_transport xfrm6_mode_ro xfrm6_mode_beet xfrm6_mode_tunnel ipcomp ipcomp6 xfrm6_tunnel tunnel6 xfrm_ipcomp af_key cast6_avx_x86_64 cast6_generic cts gcm ccm sha256_ssse3 sha512_ssse3 tunnel4 ppdev ipt_REJECT nf_reject_ipv4 xt_conntrack iptable_filter xt_tcpudp iptable_mangle xt_nat ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack ip_tables crct10dif_pclmul crc32_pclmul aesni_intel aes_x86_64 input_leds joydev serio_raw virtio_rng deflate ctr parport_pc 8250_fintek twofish_generic mac_hid twofish_avx_x86_64 i2c_piix4 twofish_x86_64_3way twofish_x86_64 twofish_common camellia_generic camellia_aesni_avx2 camellia_aesni_avx_x86_64
> [ 2577.495753]  camellia_x86_64 serpent_avx2 serpent_avx_x86_64 serpent_sse2_x86_64 xts serpent_generic lrw gf128mul glue_helper blowfish_generic blowfish_x86_64 blowfish_common cast5_avx_x86_64 cast5_generic cast_common ablk_helper cryptd des_generic cmac xcbc rmd160 xfrm_algo xt_TARPIT(OE) x_tables lp parport autofs4 hid_generic usbhid hid psmouse cirrus ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops floppy drm pata_acpi [last unloaded: tunnel6]
> [ 2577.495903] CPU: 0 PID: 17217 Comm: apparmor_parser Tainted: G           OE   4.4.0-31-generic #50-Ubuntu
> [ 2577.495906] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
> [ 2577.495911]  0000000000000086 000000002a3aab03 ffff88007963fc00 ffffffff813f1143
> [ 2577.495914]  ffff88007963fc48 ffffffff81cf0788 ffff88007963fc38 ffffffff81081102
> [ 2577.495917]  ffff880034d83800 0000000000000000 000000000000000e 0000000000000000
> [ 2577.495919] Call Trace:
> [ 2577.495952]  [<ffffffff813f1143>] dump_stack+0x63/0x90
> [ 2577.495971]  [<ffffffff81081102>] warn_slowpath_common+0x82/0xc0
> [ 2577.495993]  [<ffffffff8108119c>] warn_slowpath_fmt+0x5c/0x80
> [ 2577.495998]  [<ffffffff813ffbd0>] ? u32_swap+0x10/0x10
> [ 2577.496001]  [<ffffffff813906bd>] profile_cmp+0xed/0x180
> [ 2577.496006]  [<ffffffff813917d3>] aa_vec_unique+0x163/0x240
> [ 2577.496010]  [<ffffffff81395a47>] __aa_labelset_update_subtree+0x687/0x820
> [ 2577.496016]  [<ffffffff8138890b>] aa_replace_profiles+0x59b/0xb70
> [ 2577.496029]  [<ffffffff811ecf1e>] ? __kmalloc+0x22e/0x250
> [ 2577.496033]  [<ffffffff8137d62f>] policy_update+0x9f/0x1f0
> [ 2577.496035]  [<ffffffff8137d793>] profile_replace+0x13/0x20
> [ 2577.496044]  [<ffffffff8120c9a8>] __vfs_write+0x18/0x40
> [ 2577.496047]  [<ffffffff8120d339>] vfs_write+0xa9/0x1a0
> [ 2577.496050]  [<ffffffff8120c2cf>] ? do_sys_open+0x1bf/0x2a0
> [ 2577.496053]  [<ffffffff8120dff5>] SyS_write+0x55/0xc0
> [ 2577.496070]  [<ffffffff8182db32>] entry_SYSCALL_64_fastpath+0x16/0x71
> [ 2577.496073] ---[ end trace 2dab4af1b3dc6ff8 ]---
> [ 2577.496122] BUG: unable to handle kernel NULL pointer dereference at 0000000000000038
> [ 2577.496328] IP: [<ffffffff813905ff>] profile_cmp+0x2f/0x180
> [ 2577.496490] PGD 78962067 PUD 30a36067 PMD 0
> [ 2577.496639] Oops: 0000 [#1] SMP
> [ 2577.496785] Modules linked in: xfrm_user ah6 ah4 esp6 esp4 xfrm4_mode_beet xfrm4_tunnel xfrm4_mode_tunnel xfrm4_mode_transport xfrm6_mode_transport xfrm6_mode_ro xfrm6_mode_beet xfrm6_mode_tunnel ipcomp ipcomp6 xfrm6_tunnel tunnel6 xfrm_ipcomp af_key cast6_avx_x86_64 cast6_generic cts gcm ccm sha256_ssse3 sha512_ssse3 tunnel4 ppdev ipt_REJECT nf_reject_ipv4 xt_conntrack iptable_filter xt_tcpudp iptable_mangle xt_nat ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack ip_tables crct10dif_pclmul crc32_pclmul aesni_intel aes_x86_64 input_leds joydev serio_raw virtio_rng deflate ctr parport_pc 8250_fintek twofish_generic mac_hid twofish_avx_x86_64 i2c_piix4 twofish_x86_64_3way twofish_x86_64 twofish_common camellia_generic camellia_aesni_avx2
> [ 2577.498244]  camellia_aesni_avx_x86_64 camellia_x86_64 serpent_avx2 serpent_avx_x86_64 serpent_sse2_x86_64 xts serpent_generic lrw gf128mul glue_helper blowfish_generic blowfish_x86_64 blowfish_common cast5_avx_x86_64 cast5_generic cast_common ablk_helper cryptd des_generic cmac xcbc rmd160 xfrm_algo xt_TARPIT(OE) x_tables lp parport autofs4 hid_generic usbhid hid psmouse cirrus ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops floppy drm pata_acpi [last unloaded: tunnel6]
> [ 2577.499327] CPU: 0 PID: 17217 Comm: apparmor_parser Tainted: G        W  OE   4.4.0-31-generic #50-Ubuntu
> [ 2577.499530] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
> [ 2577.499746] task: ffff880038ecd280 ti: ffff88007963c000 task.ti: ffff88007963c000
> [ 2577.499927] RIP: 0010:[<ffffffff813905ff>]  [<ffffffff813905ff>] profile_cmp+0x2f/0x180
> [ 2577.500139] RSP: 0000:ffff88007963fcb0  EFLAGS: 00010086
> [ 2577.500299] RAX: 0000000000000000 RBX: ffff880034d83800 RCX: 0000000000000006
> [ 2577.500473] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000009
> [ 2577.500641] RBP: ffff88007963fcc0 R08: 000000000000000a R09: 00000000000002b9
> [ 2577.500821] R10: ffff8800351cc250 R11: 00000000000002b9 R12: 0000000000000000
> [ 2577.501009] R13: 000000000000000e R14: 0000000000000000 R15: ffff880019bbb250
> [ 2577.501188] FS:  00007f27f36a2740(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
> [ 2577.501380] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 2577.501545] CR2: 0000000000000038 CR3: 0000000035bb8000 CR4: 00000000001406f0
> [ 2577.501719] Stack:
> [ 2577.501836]  000000000000000f ffff880019bbb2c8 ffff88007963fd08 ffffffff813917d3
> [ 2577.502019]  0000000119a0fce0 ffff88000000000f ffff880019bbb250 ffff880034d83b60
> [ 2577.502212]  ffff8800351cc208 ffff880019bbb200 ffff8800351cc200 ffff88007963fd98
> [ 2577.502381] Call Trace:
> [ 2577.502584]  [<ffffffff813917d3>] aa_vec_unique+0x163/0x240
> [ 2577.502732]  [<ffffffff81395a47>] __aa_labelset_update_subtree+0x687/0x820
> [ 2577.502902]  [<ffffffff8138890b>] aa_replace_profiles+0x59b/0xb70
> [ 2577.503079]  [<ffffffff811ecf1e>] ? __kmalloc+0x22e/0x250
> [ 2577.503236]  [<ffffffff8137d62f>] policy_update+0x9f/0x1f0
> [ 2577.503385]  [<ffffffff8137d793>] profile_replace+0x13/0x20
> [ 2577.503540]  [<ffffffff8120c9a8>] __vfs_write+0x18/0x40
> [ 2577.503695]  [<ffffffff8120d339>] vfs_write+0xa9/0x1a0
> [ 2577.503841]  [<ffffffff8120c2cf>] ? do_sys_open+0x1bf/0x2a0
> [ 2577.503995]  [<ffffffff8120dff5>] SyS_write+0x55/0xc0
> [ 2577.504147]  [<ffffffff8182db32>] entry_SYSCALL_64_fastpath+0x16/0x71
> [ 2577.504313] Code: 00 55 48 85 ff 48 89 e5 41 54 53 49 89 f4 48 89 fb 0f 84 8b 00 00 00 4d 85 e4 0f 84 aa 00 00 00 48 83 7b 38 00 0f 84 c9 00 00 00 <49> 83 7c 24 38 00 0f 84 e8 00 00 00 48 83 7b 08 00 0f 84 07 01
> [ 2577.507520] RIP  [<ffffffff813905ff>] profile_cmp+0x2f/0x180
> [ 2577.509896]  RSP <ffff88007963fcb0>
> [ 2577.512239] CR2: 0000000000000038
> [ 2577.514565] ---[ end trace 2dab4af1b3dc6ff9 ]---
> 
> 
> 
> Similar behaviour was experienced with trying to lock down the pluto binary for ipsec.
> 
> Mark
> 