[Bug 1000287] New: [patch] AppArmor change_hat failures
http://bugzilla.opensuse.org/show_bug.cgi?id=1000287 Bug ID: 1000287 Summary: [patch] AppArmor change_hat failures Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: openSUSE 13.2 Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-maintainers@forge.provo.novell.com Reporter: suse-beta@cboltz.de QA Contact: qa-bugs@suse.de Found By: Beta-Customer Blocker: --- Some AppArmor-related changes in kernel 3.12 introduced a regression that causes change_hat failures after reloading the profiles. This is especially problematic when confining Apache with mod_apparmor (it's nearly a showstopper for this - luckily restarting Apache after reloading the profiles helps) You can read the full story at http://lists.rosenauer.org/pipermail/evergreen/2016-August/001937.html and http://lists.rosenauer.org/pipermail/evergreen/2016-September/001939.html The reproducer is: - setup apache to use mod_apparmor with some hats - create an AppArmor profile for apache with the needed hats - reboot (just to ensure a defined state) - rcapache restart - apparmor_parser -r /etc/apparmor.d - open your browser, access one or two pages hosted on that webserver You'll find several $TIMESTAMP [apparmor:error] [pid 2767] (2) No such file or directory: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' messages in /var/log/apache2/error_log. On the positive side, there's already a patch from John Johansen to fix this: https://build.opensuse.org/package/show/home:jrjohansen:branches:Kernel:open... https://build.opensuse.org/package/show/home:jrjohansen:branches:Kernel:stab... The added patch is patches.apparmor.tar.bz2/0001-apparmor-fix-change_hat-not-finding-hat-after-policy.patch (same patch for both, see "link diff") I already tested the patched kernel for 42.2 on multiple servers and can confirm that it works and fixes the issue. Please add this patch to the openSUSE kernels. You'll probably need it for all kernels >= 3.12, including the 13.1 Evergreen kernel (which is based on SLE AFAIK). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1000287
http://bugzilla.opensuse.org/show_bug.cgi?id=1000287#c1
Takashi Iwai
http://bugzilla.opensuse.org/show_bug.cgi?id=1000287
http://bugzilla.opensuse.org/show_bug.cgi?id=1000287#c2
Takashi Iwai
http://bugzilla.opensuse.org/show_bug.cgi?id=1000287
http://bugzilla.opensuse.org/show_bug.cgi?id=1000287#c5
Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=1000287
http://bugzilla.opensuse.org/show_bug.cgi?id=1000287#c6
--- Comment #6 from Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=1000287
http://bugzilla.opensuse.org/show_bug.cgi?id=1000287#c8
--- Comment #8 from Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=1000287
http://bugzilla.opensuse.org/show_bug.cgi?id=1000287#c9
--- Comment #9 from Goldwyn Rodrigues
http://bugzilla.opensuse.org/show_bug.cgi?id=1000287
http://bugzilla.opensuse.org/show_bug.cgi?id=1000287#c12
--- Comment #12 from Christian Boltz
Fix present in openSUSE-42.2/SLE12-SP2.
Can you please check the 42.2 kernel again? The kernel-default-4.4.24-1.1 changelog does not contain any traces of this patch (I looked for the patch description and the bug number), and the last changelog entry is some days newer than your comment. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1000287
http://bugzilla.opensuse.org/show_bug.cgi?id=1000287#c13
--- Comment #13 from Takashi Iwai
http://bugzilla.opensuse.org/show_bug.cgi?id=1000287
http://bugzilla.opensuse.org/show_bug.cgi?id=1000287#c15
--- Comment #15 from Christian Boltz
This is an autogenerated message for OBS integration: This bug (1000287) was mentioned in https://build.opensuse.org/request/show/435703 Factory / kernel-source
I just did. The patch series from bug 1000304 is included, but I can't find any reference to this bug, so I'm afraid it's still missing from the 42.2 kernel. (SR 435703 to Factory includes the patch, changelog date Oct 5) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1000287
http://bugzilla.opensuse.org/show_bug.cgi?id=1000287#c16
--- Comment #16 from Takashi Iwai
http://bugzilla.opensuse.org/show_bug.cgi?id=1000287
http://bugzilla.opensuse.org/show_bug.cgi?id=1000287#c17
--- Comment #17 from Goldwyn Rodrigues
participants (1)
-
bugzilla_noreply@novell.com