[Apparmor-general] Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'

Sun Jan 28 08:14:40 MST 2007

Hello,

Am Mittwoch, 24. Januar 2007 02:32 schrieb Seth Arnold:
> On Wed, Jan 24, 2007 at 12:28:16AM +0100, Christian Boltz wrote:
> > my Apache error log is flooded with error messages since I updated
> > my server to openSUSE 10.2 :-(
> >
> > [Tue Jan 23 20:42:41 2007] [error] Failed to change_hat
> > to 'HANDLING_UNTRUSTED_INPUT'
> > [Tue Jan 23 20:45:05 2007] [error] Failed to change_hat
> > to 'HANDLING_UNTRUSTED_INPUT'
> > [Tue Jan 23 20:45:05 2007] [error] Failed to change_hat
> > to 'HANDLING_UNTRUSTED_INPUT'
> > (and many more of them - 14500 lines in 4 days)
>
> Hrm, how surprising. :/
>
> Just to make sure, have you reloaded the policy lately? 

Yes, lots of times.

> Does ps auxZ 
> confirm that httpd2-prefork is running in the profile you think it
> is? 

I just checked this and see all the following:

/usr/sbin/httpd2-prefork        root     31597  0.0  1.4 282320 14680 ?        Ss   Jan27   0:11 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT wwwrun 3663 0.2  2.0 294348 21512 ? S 15:34   0:03 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT wwwrun 3665 0.1  2.2 295584 23128 ? S 15:34   0:02 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT wwwrun 3834 0.0  1.4 286360 15400 ? S 15:36   0:01 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT wwwrun 6178 0.3  3.5 307392 36128 ? S 15:44   0:03 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT wwwrun 6268 0.2  3.5 307360 36188 ? S 15:47   0:01 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT wwwrun 7013 0.5  2.9 300820 29932 ? S 15:48   0:03 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT wwwrun 7015 0.3  2.0 291660 20704 ? S 15:48   0:01 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT wwwrun 7017 0.2  2.0 291888 20956 ? S 15:48   0:01 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT wwwrun 7019 0.3  3.5 307096 35976 ? S 15:48   0:01 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT wwwrun 7088 0.0  1.2 283688 13044 ? S 15:51   0:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL

But this doesn't mean that much - the last "Failed to change_hat to
'HANDLING_UNTRUSTED_INPUT'" is some hours old. It seems it isn't really
reproducable. OTOH, I have seen the same error message on another 10.2
server also.

I'm also wondering if this could be caused by too large or complex
profiles (like lots of hats for apache, each of them in a abstractions/*
file) because some allowed things were logged by auditd.
However, I'm not sure about this yet and will continue to watch the
logfile.

> Maybe strace apache for a little bit and try to find the error code?
> The change_hat is implemented as writing to /proc/*/attr/current.

Which of the apache processes do you recommend to strace? The process
running as root or the wwwrun processes?
And: Is there a way to trigger the error? I don't want to strace Apache
for hours ;-)

> > BTW: is it possible to have some hats in complain and some others
> > in enforce mode?
>
> I do believe that they are independent of each other, and that we
> would probably count as a bug any places where this behaviour wasn't
> respected. (But it still would feel strange to me to rely on this.)

I understand this as "it's safe enough to avoid that customers do bad 
things" - and it's much safer than running without AppArmor ;-)

Regards,

Christian Boltz
-- 
"DOS=HIGH ...I knew it was on something!"
                    (UNIX user, while reading C:\CONFIG.SYS)