[Apparmor-general] Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'

[Seth Arnold]

On Sun, Jan 28, 2007 at 04:14:40PM +0100, Christian Boltz wrote:
> But this doesn't mean that much - the last "Failed to change_hat to
> 'HANDLING_UNTRUSTED_INPUT'" is some hours old. It seems it isn't really
> reproducable. OTOH, I have seen the same error message on another 10.2
> server also.
> 
> I'm also wondering if this could be caused by too large or complex
> profiles (like lots of hats for apache, each of them in a abstractions/*
> file) because some allowed things were logged by auditd.
> However, I'm not sure about this yet and will continue to watch the
> logfile.

There is another possibility; it would be very low probability, but it
could happen: the mod_apparmor shipped in 10.2 had a mistake in the
immunix_init() function. We forgot to screen for a magic cookie of
all-zeros:

https://forgesvn1.novell.com/viewsvn/apparmor/tags/OS_10.2/changehat/mod_apparmor/mod_apparmor.c?view=markup

On the first change_hat() call, we would place the process into a
subprofile that it could never return from.

However, this magic cookie is seeded once-per-server, so the chances of
hitting it would be quite low. (And I don't know what the error messages
would look like.)

Someday we hope to provide a library routine to retrieve a non-zero random
cookie for the caller ;) to make this bug less likely to reproduce. (As
we did in our first implementation of pam_apparmor, hehe.)

> Which of the apache processes do you recommend to strace? The process
> running as root or the wwwrun processes?
> And: Is there a way to trigger the error? I don't want to strace Apache
> for hours ;-)

Drat. I hoped you had one stuck in this point right now. Hehe. :)

Thanks Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-general/attachments/20070129/0208212d/attachment.pgp