[Bug 1717714] Re: @{pid} variable broken on systems with pid_max more than 6 digits

Seyeong Kim seyeong.kim at canonical.com
Tue Jan 9 01:00:05 UTC 2018 

** Description changed:

+ [Impact]
+ 
+ If PID is larger than 6 digits.
+ 
+ apparmor denies process.
+ 
+ this fix is committed, but not released. so all supporting version are
+ affected.
+ 
+ [Test Case]
+ 
+ 1. making pid over 6 digits
+ - i used touch command to do it
+ 2. snap install canonical-livepatch ( just picked this pkg )
+ 
+ you can see denied msg as original description
+ 
+ [Regression]
+ this fix changes regex only, i don't think there is severe regression. also if there is regression, we can revert manually temporarily. 
+ denied services need to be restarted after fixing this.
+ 
+ [Others]
+ 
+ revision : http://bazaar.launchpad.net/~apparmor-
+ dev/apparmor/master/revision/3722
+ 
+ [Original Description]
+ 
  If your kernel.pid_max sysctl is set higher than the default, say at 7
  digits, the @{pid} variable no longer matches all pids, causing some
  breakage in any profile using it.
  
  @{pid} is defined in /etc/apparmor.d/tunables:
  @{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
  
  It only covers up to 6 digits.
  
  This Ubuntu 17.04 system has:
  kernel.pid_max = 4194303
  
- And is showing 
+ And is showing
  type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
  
  Which should be matched by
  @{PROC}/sys/vm/overcommit_memory r,
  in /etc/apparmor.d/abstractions/libvirt-qemu
  
  I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04
  (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)
  
  I am aware this is a non-default configuration, but I think this should
  work.

** Tags removed: patch
** Tags added: sts-sru-needed

** Changed in: apparmor (Ubuntu)
     Assignee: (unassigned) => Seyeong Kim (xtrusia)

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1717714

Title:
  @{pid} variable broken on systems with pid_max more than 6 digits

Status in AppArmor:
  Fix Committed
Status in AppArmor 2.11 series:
  Fix Committed
Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  [Impact]

  If PID is larger than 6 digits.

  apparmor denies process.

  this fix is committed, but not released. so all supporting version are
  affected.

  [Test Case]

  1. making pid over 6 digits
  - i used touch command to do it
  2. snap install canonical-livepatch ( just picked this pkg )

  you can see denied msg as original description

  [Regression]
  this fix changes regex only, i don't think there is severe regression. also if there is regression, we can revert manually temporarily. 
  denied services need to be restarted after fixing this.

  [Others]

  revision : http://bazaar.launchpad.net/~apparmor-
  dev/apparmor/master/revision/3722

  [Original Description]

  If your kernel.pid_max sysctl is set higher than the default, say at 7
  digits, the @{pid} variable no longer matches all pids, causing some
  breakage in any profile using it.

  @{pid} is defined in /etc/apparmor.d/tunables:
  @{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}

  It only covers up to 6 digits.

  This Ubuntu 17.04 system has:
  kernel.pid_max = 4194303

  And is showing
  type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111

  Which should be matched by
  @{PROC}/sys/vm/overcommit_memory r,
  in /etc/apparmor.d/abstractions/libvirt-qemu

  I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04
  (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)

  I am aware this is a non-default configuration, but I think this
  should work.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1717714/+subscriptions

More information about the Ubuntu-sponsors mailing list