[Apparmor-general] character limits in subprofiles
John Johansen
jrjohansen at verizon.net
Wed Mar 4 08:12:58 MST 2009
Ben Beuchler wrote:
> I've encountered what appears to be a known issue, as it's already
> fixed in newer releases of Apparmor (either the tools or the kernel...
> I'm not sure which). I'm running Ubuntu 8.0.4 with a 2.6.24 x86_64
> kernel and apparmor/apparmor-utils 2.1.
>
> The issue concerns an Apache profile with a large number of hats.
> Currently the profile has 216. After loading the profile and its 216
> hats, "apparmor_status --profiled" says only 63 of them are active.
> After a bunch of testing, I finally tracked the problem down to the
> length of the hat names. The shorter I made the hat names, the more
> profiles would load. On a lark, I built a test box out with Ubuntu
> 8.10 (kernel 2.6.27, apparmor 2.3) and the problem went away.
>
> Is this, in fact, a known bug in 2.1? If so, can you point me to the
> documentation of the bug? I'm hoping to talk the Ubuntu team into
> backporting the fix into the 8.0.4 LTS release.
>
Yes it is a known bug (sorry I don't have time to lookup the bug number
right now) in the kernel modules handling of AppArmorFS. Basically it
will only list as many names as can fit on a VM page, so the shorter the
names the more it will list.
I will dig up the fix and post the patch this afternoon when I have more
time.
john
More information about the Apparmor-general
mailing list