[Apparmor-general] character limits in subprofiles
John Johansen
jrjohansen at verizon.net
Fri Mar 6 02:44:30 MST 2009
Ben Beuchler wrote:
>>> Is this, in fact, a known bug in 2.1? If so, can you point me to the
>>> documentation of the bug? I'm hoping to talk the Ubuntu team into
>>> backporting the fix into the 8.0.4 LTS release.
>>>
>> Yes it is a known bug (sorry I don't have time to lookup the bug number
>> right now) in the kernel modules handling of AppArmorFS. Basically it
>> will only list as many names as can fit on a VM page, so the shorter the
>> names the more it will list.
>>
>> I will dig up the fix and post the patch this afternoon when I have more
>> time.
>
> The reason I started down the path that lead to (re)discovering this
> bug was seeing apparmor_parser -[rR] lock up and start consuming 100%
> of the CPU in an uninterruptible fashion. In my testing it appeared
> that this no longer happened as long as I had fewer profiles than the
> limit described above.
>
> Is that consistent with the bug you mentioned? Or is that an additional issue?
>
sorry this ended up taking me so long to get back to,
Yes this is consistent. The problem is that when it has more entries
than a page, it also messes up the locking so that profile
replacement/removal will fail spinning on the lock that will never get
released consuming 100% cpu. :(
The patch is attached, and I have forwarded it to Ubuntu
john
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix-apparmorfs.diff
Type: text/x-patch
Size: 3200 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-general/attachments/20090306/7cb8181e/fix-apparmorfs.bin
More information about the Apparmor-general
mailing list