[Apparmor-general] Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'

[Seth Arnold]

On Wed, Jan 24, 2007 at 12:28:16AM +0100, Christian Boltz wrote:
> Hello,
> 
> my Apache error log is flooded with error messages since I updated my 
> server to openSUSE 10.2 :-(
> 
> [Tue Jan 23 20:42:41 2007] [error] Failed to change_hat 
> to 'HANDLING_UNTRUSTED_INPUT'
> [Tue Jan 23 20:45:05 2007] [error] Failed to change_hat 
> to 'HANDLING_UNTRUSTED_INPUT'
> [Tue Jan 23 20:45:05 2007] [error] Failed to change_hat 
> to 'HANDLING_UNTRUSTED_INPUT'
> (and many more of them - 14500 lines in 4 days)

Hrm, how surprising. :/

Just to make sure, have you reloaded the policy lately? Does ps auxZ
confirm that httpd2-prefork is running in the profile you think it is?
Sadly, there's no way for us to find out from the kernel what profile is
actually being used.

Maybe strace apache for a little bit and try to find the error code? The
change_hat is implemented as writing to /proc/*/attr/current.

> Yes, the profile contains this hat, it is even in complain mode:
> 
> /usr/sbin/httpd2-prefork flags=(complain) {
>   # [...]
>   ^HANDLING_UNTRUSTED_INPUT flags=(complain) {
>     #include <abstractions/nameservice>
> 
>     /**.htaccess r,
>     /home/httpd/vhosts/*/statistics/logs/access_log w,
>     /home/httpd/vhosts/*/statistics/logs/error_log w,
>     /var/log/apache2/* w,
>   }
>   # [... several other hats, all in complain mode ...]
> }
> 
> Any idea what could be wrong?
> 
> BTW: is it possible to have some hats in complain and some others in 
> enforce mode?

I do believe that they are independent of each other, and that we
would probably count as a bug any places where this behaviour wasn't
respected. (But it still would feel strange to me to rely on this.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-general/attachments/20070123/1e5c991d/attachment.pgp