[Bug 228018] New: Audit backlog can cause kernel lockup
https://bugzilla.novell.com/show_bug.cgi?id=228018 Summary: Audit backlog can cause kernel lockup Product: openSUSE 10.2 Version: RC 5 Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Kernel AssignedTo: kernel-maintainers@forge.provo.novell.com ReportedBy: jjohansen@novell.com QAContact: qa@suse.de Apparmor when using the audit subsystem can overload the system with audit events causing the kernel to lockup (https://bugzilla.novell.com/show_bug.cgi?id=221567). If apparmor is patched to not use the audit system, or the audit subsystem is not running (rcaudit stop) the kernel will not lockup. The system can be overloaded as described in #221567 if the netstat profile is loaded. It can also be overloaded doing the following load the following profile into apparmor (apparmor_parser -r < ) /bin/foobash { #include <abstractions/base> #include <abstractions/bash> #include <abstractions/nameservice> capability dac_override, capability sys_ptrace, /** ixr, /dev/tty rw, /proc/** rw, /bin/foobash mr, }
ln /bin/bash /bin/foobash foobash for ((i=1; i<100; i++)); do for f in /proc/[0-9]*/fd/* ; do \ ls $f 2>/dev/null 1>/dev/null & done ; done
or netstat can be used
for ((i=1; i<100; i++)); netstat -tupaen & done
the number of iterations actually needed to overload the system will vary based off of machines memory and speed. I have not been able to generate a backtrace as sysrq is unresponsive. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=228018 jjohansen@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|kernel- |tonyj@novell.com |maintainers@forge.provo.nove| |ll.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=228018 tonyj@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=228018 User tonyj@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=228018#c3 Tony Jones <tonyj@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |jjohansen@novell.com --- Comment #3 from Tony Jones <tonyj@novell.com> 2008-05-23 12:30:01 MDT --- Sorry, I let this slip. My recollection is that an audit specific bug was created out of this which was closed. Work on the backlog handling did occur in mainline, further, I believe how AppArmor does audit logging changed. I can't reproduce any backlog issues or hangs using either of the testcases in the original comment (foobash or netstat). John, is my memory flawed here, or is this ok to close? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=228018 User jjohansen@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=228018#c4 --- Comment #4 from John Johansen <jjohansen@novell.com> 2008-05-23 14:16:56 MDT --- Mostly this was the result of two bugs, one in AppArmor and one in audit. Both bugs have been fixed in newer versions. I had been meaning to submit a fix for 10.2 so I had left this bug open. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=228018 User tonyj@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=228018#c5 Tony Jones <tonyj@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|tonyj@novell.com |jjohansen@novell.com Status|NEEDINFO |NEW Info Provider|jjohansen@novell.com | --- Comment #5 from Tony Jones <tonyj@novell.com> 2008-05-23 15:58:58 MDT ---
I had been meaning to submit a fix for 10.2 so I had left this bug open.
Not sure I grok this as the bug was assigned to me, but I defn recall their being an audit specific bug that got forked from it. Anyways, I'll reassign it to you for your 10.2 reminder tho I doubt you can check in anything for 10.2 at this point, so you may just want to close it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=228018 User jjohansen@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=228018#c6 John Johansen <jjohansen@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX --- Comment #6 from John Johansen <jjohansen@novell.com> 2008-05-23 16:32:00 MDT --- Since this isn't a security related bug, at this point I am just going to close it as WONTFIX for 10.2 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com