** Description changed: [Impact] If PID is larger than 6 digits. apparmor denies process. this fix is committed, but not released. so all supporting version are affected. [Test Case] 1. making pid over 6 digits - i used touch command to do it 2. snap install canonical-livepatch ( just picked this pkg ) you can see denied msg as original description [Regression] - this fix changes regex only, i don't think there is severe regression. also if there is regression, we can revert manually temporarily. + this fix changes regex only, i don't think there is severe regression. also if there is regression, we can revert manually temporarily. denied services need to be restarted after fixing this. [Others] - revision : http://bazaar.launchpad.net/~apparmor- - dev/apparmor/master/revision/3722 + * Upstream commit: + https://gitlab.com/apparmor/apparmor/commit/630cb2a981cdc731847e8fdaafc45bcd337fe747 + + * commit 630cb2a981cdc731847e8fdaafc45bcd337fe747 + Author: Vincas Dargis <vin...@gmail.com> + Date: Sat Sep 30 15:28:15 2017 +0300 + + Allow seven digit pid + + + * Affecting releases : TXZA + -------------------------------------------------------------------------- + $ git describe --contains 630cb2a9 + v2.11.95~5^2 + + $ rmadison apparmor + apparmor | 2.8.95~2430-0ubuntu5 | trusty + apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-security + apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-updates + apparmor | 2.10.95-0ubuntu2 | xenial + apparmor | 2.10.95-0ubuntu2.6 | xenial-security + apparmor | 2.10.95-0ubuntu2.7 | xenial-updates + apparmor | 2.11.0-2ubuntu4 | zesty + apparmor | 2.11.0-2ubuntu17 | artful + apparmor | 2.11.0-2ubuntu18 | bionic + -------------------------------------------------------------------------- + + * Revision : + http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3722 [Original Description] If your kernel.pid_max sysctl is set higher than the default, say at 7 digits, the @{pid} variable no longer matches all pids, causing some breakage in any profile using it. @{pid} is defined in /etc/apparmor.d/tunables: @{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]} It only covers up to 6 digits. This Ubuntu 17.04 system has: kernel.pid_max = 4194303 And is showing type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111 Which should be matched by @{PROC}/sys/vm/overcommit_memory r, in /etc/apparmor.d/abstractions/libvirt-qemu I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04 (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17) I am aware this is a non-default configuration, but I think this should work.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1717714 Title: @{pid} variable broken on systems with pid_max more than 6 digits To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1717714/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
