[apparmor] Apparmor crash that takes out the system
Mark Wadham
ubuntu at rkw.io
Thu Jul 28 19:31:48 UTC 2016
On 28 Jul 2016, at 17:32, Mark Wadham wrote:
> If the profile doesn't cause a crash immediately for you let me know
> and I'll play around with a fresh vm and see if I can reproduce it
> there.
Ok it's reproducable on a vm with an almost fresh installation of
16.04.1.
Steps:
1. Configure a vpn (sorry, doesn't seem to trigger if there's no vpn
configured). I'm using a public vpn service but I'd assume anything
would do. Make sure the vpn comes up.
2. Set this profile for usr.sbin.openvpn:
----
#include <tunables/global>
/usr/sbin/openvpn flags=(complain, attach_disconnected) {
#include <abstractions/authentication>
#include <abstractions/base>
#include <abstractions/nameservice>
capability net_bind_service,
/run/openvpn/ipredator.status rw,
/etc/openvpn/ r,
/etc/openvpn/** r,
/run/openvpn/* rw,
}
----
3. Set the profile to complain mode, restart openvpn.
4. Wait till the vpn comes up, then:
# apparmor_parser -r /etc/apparmor.d/usr.sbin.openvpn ; service openvpn
restart
then really quickly type:
# dmesg
and you should see the panic just before the box becomes unreachable.
Not sure if all these steps are necessary but this is triggering it for
me.
Mark
More information about the AppArmor
mailing list