Mailinglist Archive: opensuse-bugs (5243 mails)

< Previous Next >
[Bug 807104] 12.3 RC2: apparmor nscd bad profile

https://bugzilla.novell.com/show_bug.cgi?id=807104

https://bugzilla.novell.com/show_bug.cgi?id=807104#c5


--- Comment #5 from Christian Boltz <suse-beta@xxxxxxxxx> 2013-03-05 01:56:25
CET ---
Created an attachment (id=528074)
--> (http://bugzilla.novell.com/attachment.cgi?id=528074)
IRC log from #apparmor

This bug is very interesting[tm] and I was able to keep up to 3 AppArmor
developers busy for some hours to debug this ;-)

I found out that nscd requests block_suspend _on exit_. I was able to trigger a
DENIED message with "rcnscd stop" - but it doesn't happen every time, you might
need to try 5 or 10 times. (Of course, you always have to start nscd before
stopping it ;-)

When block_suspend was DENIED, I also got this log line:
type=SYSCALL msg=audit(1362440326.547:629): arch=c000003e syscall=233
success=yes exit=0 a0=10 a1=2 a2=11 a3=0 items=0 ppid=1 pid=15656
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
ses=4294967295 tty=(none) comm="nscd" exe="/usr/sbin/nscd" key=(null)

<jjohansen> this is definitely happening in epoll_ctl syscall so it is cap
BLOCK_SUSPEND, we just haven't established why EPOLLWAKEUP is set, whether its
intentional or not properly cleared mem

AJ, I'm attaching the IRC log - if you want to dig into this, you'll find some
technical details in it. (Probably the last ~50 lines are the most interesting
part for you.)


That said, I'll add
+ deny capability block_suspend,
to the profile to _deny_ the capability (since not only you were surprised it's
needed) to silence the log. Any objections?

I also noticed that some read permissions were missing:
- /{,var/}run/nscd/db* wl,
+ /{,var/}run/nscd/db* rwl,

and will of course add access to /var/run/nscd/netgroup:
- /var/{cache,run}/nscd/{passwd,group,services,hosts} rw,
+ /var/{cache,run}/nscd/{passwd,group,services,hosts,netgroup} rw,

I'll also add
+ /proc/sys/vm/overcommit_memory r,
even if I couldn't trigger a DENIED for it while restarting and using (with
various name lookups) nscd, but I've seen it in my logs from january.

--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >
References