[Apparmor-general] Failed to change_hat to
'HANDLING_UNTRUSTED_INPUT'
Christian Boltz
apparmor at cboltz.de
Wed Jan 31 11:16:59 MST 2007
Hello,
Am Montag, 29. Januar 2007 20:39 schrieb Seth Arnold:
> On Sun, Jan 28, 2007 at 04:14:40PM +0100, Christian Boltz wrote:
> > But this doesn't mean that much - the last "Failed to change_hat to
> > 'HANDLING_UNTRUSTED_INPUT'" is some hours old. It seems it isn't
> > really reproducable. OTOH, I have seen the same error message on
> > another 10.2 server also.
[...]
> There is another possibility; it would be very low probability, but
> it could happen: the mod_apparmor shipped in 10.2 had a mistake in
> the immunix_init() function. We forgot to screen for a magic cookie
> of all-zeros:
>
> https://forgesvn1.novell.com/viewsvn/apparmor/tags/OS_10.2/changehat/
>mod_apparmor/mod_apparmor.c?view=markup
>
> On the first change_hat() call, we would place the process into a
> subprofile that it could never return from.
I'm not really familar with C, so I will just believe you ;-)
> However, this magic cookie is seeded once-per-server,
Does once-per-server mean "per Apache server process" or "per machine"?
> so the chances of hitting it would be quite low.
The fact that I have seen the error message on two (of two tested)
machines suggests that there must be another problem.
But there's still Murphy ;-)
> > Which of the apache processes do you recommend to strace? [...]
>
> Drat. I hoped you had one stuck in this point right now. Hehe. :)
No, (un?)fortunately I don't have a process in this state right now.
Regards,
Christian Boltz
--
We break the translation consistently (wow, consistent break, I like
that wording) [from https://bugzilla.novell.com/show_bug.cgi?id=165509]
More information about the Apparmor-general
mailing list