[Bug 1717714] Re: @{pid} variable broken on systems with pid_max more than 6 digits
Eric Desrochers
eric.desrochers at canonical.com
Tue Jan 9 05:29:23 UTC 2018
Not quite sure now if apparmor upstream is found in launchpad[1] or
gitlab[2].
[1] https://launchpad.net/apparmor
[2] https://gitlab.com/apparmor
If it's launchpad then the URL is good.
If #2 & #3 are good (After your confirmation), then only #1, #4 and #5
are missing.
Im simply trying to anticipate & eliminate confusion before the final
upload.
- Eric
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1717714
Title:
@{pid} variable broken on systems with pid_max more than 6 digits
Status in AppArmor:
Fix Committed
Status in AppArmor 2.11 series:
Fix Committed
Status in apparmor package in Ubuntu:
Confirmed
Status in apparmor source package in Trusty:
New
Status in apparmor source package in Xenial:
New
Status in apparmor source package in Zesty:
New
Status in apparmor source package in Artful:
New
Status in apparmor source package in Bionic:
Confirmed
Bug description:
[Impact]
If PID is larger than 6 digits.
apparmor denies process.
this fix is committed, but not released. so all supporting version are
affected.
[Test Case]
1. making pid over 6 digits
- i used touch command to do it
2. snap install canonical-livepatch ( just picked this pkg )
you can see denied msg as original description
[Regression]
this fix changes regex only, i don't think there is severe regression. also if there is regression, we can revert manually temporarily.
denied services need to be restarted after fixing this.
[Others]
* Upstream commit:
https://gitlab.com/apparmor/apparmor/commit/630cb2a981cdc731847e8fdaafc45bcd337fe747
* commit 630cb2a981cdc731847e8fdaafc45bcd337fe747
Author: Vincas Dargis <vindrg at gmail.com>
Date: Sat Sep 30 15:28:15 2017 +0300
Allow seven digit pid
* Affecting releases : TXZAB
--------------------------------------------------------------------------
$ git describe --contains 630cb2a9
v2.11.95~5^2
$ rmadison apparmor
apparmor | 2.8.95~2430-0ubuntu5 | trusty
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-security
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-updates
apparmor | 2.10.95-0ubuntu2 | xenial
apparmor | 2.10.95-0ubuntu2.6 | xenial-security
apparmor | 2.10.95-0ubuntu2.7 | xenial-updates
apparmor | 2.11.0-2ubuntu4 | zesty
apparmor | 2.11.0-2ubuntu17 | artful
apparmor | 2.11.0-2ubuntu18 | bionic
$ rmadison -u debian apparmor
apparmor | 2.11.1-4 | unstable
--------------------------------------------------------------------------
* Revision :
http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3722
[Original Description]
If your kernel.pid_max sysctl is set higher than the default, say at 7
digits, the @{pid} variable no longer matches all pids, causing some
breakage in any profile using it.
@{pid} is defined in /etc/apparmor.d/tunables:
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
It only covers up to 6 digits.
This Ubuntu 17.04 system has:
kernel.pid_max = 4194303
And is showing
type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
Which should be matched by
@{PROC}/sys/vm/overcommit_memory r,
in /etc/apparmor.d/abstractions/libvirt-qemu
I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04
(2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)
I am aware this is a non-default configuration, but I think this
should work.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1717714/+subscriptions
More information about the Ubuntu-sponsors
mailing list