[Bug 1717714] Re: @{pid} variable broken on systems with pid_max more than 6 digits
Seyeong Kim
seyeong.kim at canonical.com
Tue Jan 9 01:00:05 UTC 2018
** Description changed:
+ [Impact]
+
+ If PID is larger than 6 digits.
+
+ apparmor denies process.
+
+ this fix is committed, but not released. so all supporting version are
+ affected.
+
+ [Test Case]
+
+ 1. making pid over 6 digits
+ - i used touch command to do it
+ 2. snap install canonical-livepatch ( just picked this pkg )
+
+ you can see denied msg as original description
+
+ [Regression]
+ this fix changes regex only, i don't think there is severe regression. also if there is regression, we can revert manually temporarily.
+ denied services need to be restarted after fixing this.
+
+ [Others]
+
+ revision : http://bazaar.launchpad.net/~apparmor-
+ dev/apparmor/master/revision/3722
+
+ [Original Description]
+
If your kernel.pid_max sysctl is set higher than the default, say at 7
digits, the @{pid} variable no longer matches all pids, causing some
breakage in any profile using it.
@{pid} is defined in /etc/apparmor.d/tunables:
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
It only covers up to 6 digits.
This Ubuntu 17.04 system has:
kernel.pid_max = 4194303
- And is showing
+ And is showing
type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
Which should be matched by
@{PROC}/sys/vm/overcommit_memory r,
in /etc/apparmor.d/abstractions/libvirt-qemu
I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04
(2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)
I am aware this is a non-default configuration, but I think this should
work.
** Tags removed: patch
** Tags added: sts-sru-needed
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => Seyeong Kim (xtrusia)
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1717714
Title:
@{pid} variable broken on systems with pid_max more than 6 digits
Status in AppArmor:
Fix Committed
Status in AppArmor 2.11 series:
Fix Committed
Status in apparmor package in Ubuntu:
Confirmed
Bug description:
[Impact]
If PID is larger than 6 digits.
apparmor denies process.
this fix is committed, but not released. so all supporting version are
affected.
[Test Case]
1. making pid over 6 digits
- i used touch command to do it
2. snap install canonical-livepatch ( just picked this pkg )
you can see denied msg as original description
[Regression]
this fix changes regex only, i don't think there is severe regression. also if there is regression, we can revert manually temporarily.
denied services need to be restarted after fixing this.
[Others]
revision : http://bazaar.launchpad.net/~apparmor-
dev/apparmor/master/revision/3722
[Original Description]
If your kernel.pid_max sysctl is set higher than the default, say at 7
digits, the @{pid} variable no longer matches all pids, causing some
breakage in any profile using it.
@{pid} is defined in /etc/apparmor.d/tunables:
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
It only covers up to 6 digits.
This Ubuntu 17.04 system has:
kernel.pid_max = 4194303
And is showing
type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
Which should be matched by
@{PROC}/sys/vm/overcommit_memory r,
in /etc/apparmor.d/abstractions/libvirt-qemu
I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04
(2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)
I am aware this is a non-default configuration, but I think this
should work.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1717714/+subscriptions
More information about the Ubuntu-sponsors
mailing list