[Apparmor-general] character limits in subprofiles
Ben Beuchler
insyte at gmail.com
Wed Mar 4 08:46:20 MST 2009
Hallelujah! Thank you.
-Ben
On Wed, Mar 4, 2009 at 9:12 AM, John Johansen <jrjohansen at verizon.net> wrote:
> Ben Beuchler wrote:
>> I've encountered what appears to be a known issue, as it's already
>> fixed in newer releases of Apparmor (either the tools or the kernel...
>> I'm not sure which). I'm running Ubuntu 8.0.4 with a 2.6.24 x86_64
>> kernel and apparmor/apparmor-utils 2.1.
>>
>> The issue concerns an Apache profile with a large number of hats.
>> Currently the profile has 216. After loading the profile and its 216
>> hats, "apparmor_status --profiled" says only 63 of them are active.
>> After a bunch of testing, I finally tracked the problem down to the
>> length of the hat names. The shorter I made the hat names, the more
>> profiles would load. On a lark, I built a test box out with Ubuntu
>> 8.10 (kernel 2.6.27, apparmor 2.3) and the problem went away.
>>
>> Is this, in fact, a known bug in 2.1? If so, can you point me to the
>> documentation of the bug? I'm hoping to talk the Ubuntu team into
>> backporting the fix into the 8.0.4 LTS release.
>>
> Yes it is a known bug (sorry I don't have time to lookup the bug number
> right now) in the kernel modules handling of AppArmorFS. Basically it
> will only list as many names as can fit on a VM page, so the shorter the
> names the more it will list.
>
> I will dig up the fix and post the patch this afternoon when I have more
> time.
>
> john
> _______________________________________________
> Apparmor-general mailing list
> Apparmor-general at forge.novell.com
> http://forge.novell.com/mailman/listinfo/apparmor-general
>
More information about the Apparmor-general
mailing list