[Bug 1717714] Re: @{pid} variable broken on systems with pid_max more than 6 digits

Seyeong Kim seyeong.kim at canonical.com
Tue Jan 9 09:57:04 UTC 2018


** Patch added: "lp1717714_zesty.debdiff"
   https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1717714/+attachment/5033300/+files/lp1717714_zesty.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1717714

Title:
  @{pid} variable broken on systems with pid_max more than 6 digits

Status in AppArmor:
  Fix Committed
Status in AppArmor 2.11 series:
  Fix Committed
Status in apparmor package in Ubuntu:
  Confirmed
Status in apparmor source package in Trusty:
  New
Status in apparmor source package in Xenial:
  New
Status in apparmor source package in Zesty:
  New
Status in apparmor source package in Artful:
  New
Status in apparmor source package in Bionic:
  Confirmed

Bug description:
  [Impact]

  If PID is larger than 6 digits.

  apparmor denies process.

  this fix is committed, but not released. so all supporting version are
  affected.

  [Test Case]

  1. making pid over 6 digits
  - i used touch command to do it
  2. snap install canonical-livepatch ( just picked this pkg )

  you can see denied msg as original description

  [Regression]
  this fix changes regex only, i don't think there is severe regression. also if there is regression, we can revert manually temporarily.
  denied services need to be restarted after fixing this.

  [Others]

  * Upstream commit:
   https://gitlab.com/apparmor/apparmor/commit/630cb2a981cdc731847e8fdaafc45bcd337fe747

  * commit 630cb2a981cdc731847e8fdaafc45bcd337fe747
  Author: Vincas Dargis <vindrg at gmail.com>
  Date:   Sat Sep 30 15:28:15 2017 +0300

      Allow seven digit pid

  * Affecting releases : TXZAB
  --------------------------------------------------------------------------
  $ git describe --contains 630cb2a9
  v2.11.95~5^2

  $ rmadison apparmor
   apparmor | 2.8.95~2430-0ubuntu5       | trusty
   apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-security
   apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-updates
   apparmor | 2.10.95-0ubuntu2           | xenial
   apparmor | 2.10.95-0ubuntu2.6         | xenial-security
   apparmor | 2.10.95-0ubuntu2.7         | xenial-updates
   apparmor | 2.11.0-2ubuntu4            | zesty
   apparmor | 2.11.0-2ubuntu17           | artful
   apparmor | 2.11.0-2ubuntu18           | bionic

  $ rmadison -u debian apparmor
   apparmor   | 2.11.1-4         | unstable
  --------------------------------------------------------------------------

  * Revision :
  http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3722

  [Original Description]

  If your kernel.pid_max sysctl is set higher than the default, say at 7
  digits, the @{pid} variable no longer matches all pids, causing some
  breakage in any profile using it.

  @{pid} is defined in /etc/apparmor.d/tunables:
  @{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}

  It only covers up to 6 digits.

  This Ubuntu 17.04 system has:
  kernel.pid_max = 4194303

  And is showing
  type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111

  Which should be matched by
  @{PROC}/sys/vm/overcommit_memory r,
  in /etc/apparmor.d/abstractions/libvirt-qemu

  I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04
  (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)

  I am aware this is a non-default configuration, but I think this
  should work.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1717714/+subscriptions



More information about the Ubuntu-sponsors mailing list