sts-sponsors team mailing list archive

Thread
Date
[Bug 1717714] Re: @{pid} variable broken on systems with pid_max more than 6 digits

To: sts-sponsors@xxxxxxxxxxxxxxxxxxx
From: Eric Desrochers <eric.desrochers@xxxxxxxxxxxxx>
Date: Tue, 09 Jan 2018 04:57:40 -0000
Reply-to: Bug 1717714 <1717714@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Hi Seyeong,

Here's some sponsoring notes that will require minor change. While
waiting for the build farm ...

#1 - Can you make sure (if not already) to forward/submit the patch to
debian upstream against apparmor ? Which is a requirement for the patch
to land in Ubuntu.

Then we can request a coredev to sponsor the devel release (bionic), and
then start the SRU.

#2 - Seems like the good upstream commit number for the change is "ad94da321ba51e247b2df82a96cb9d83d47b887e" ? Can you double-check ? 
If you confirm, please change the commit number where it applies.

#3 - Change "Origin:" in the DEP3 header
Origin: upstream, https://gitlab.com/apparmor/apparmor/commit/ad94da321ba51e247b2df82a96cb9d83d47b887e
(or using the proper commit  (see #2))

#4 - Change "Bug-Ubuntu:" in DEP3 header using the short LP bug url

From
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1717714

To
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1717714

#5 - Review the package versions. Worst case I'll do it myself later
when I'll be ready to upload.

Example taken from trusty debdiff:
Going from "2.10.95-0ubuntu2.6~14.04.1" to "2.10.95-0ubuntu2.7~14.04.1" is wrong. It's preferable to use "2.10.95-0ubuntu2.6~14.04.2"

Thanks & let me know if you have any questions.

- Eric

** Tags added: sts-sponsor-slashd

-- 
You received this bug notification because you are a member of STS
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1717714

Title:
  @{pid} variable broken on systems with pid_max more than 6 digits

Status in AppArmor:
  Fix Committed
Status in AppArmor 2.11 series:
  Fix Committed
Status in apparmor package in Ubuntu:
  Confirmed
Status in apparmor source package in Trusty:
  New
Status in apparmor source package in Xenial:
  New
Status in apparmor source package in Zesty:
  New
Status in apparmor source package in Artful:
  New
Status in apparmor source package in Bionic:
  Confirmed

Bug description:
  [Impact]

  If PID is larger than 6 digits.

  apparmor denies process.

  this fix is committed, but not released. so all supporting version are
  affected.

  [Test Case]

  1. making pid over 6 digits
  - i used touch command to do it
  2. snap install canonical-livepatch ( just picked this pkg )

  you can see denied msg as original description

  [Regression]
  this fix changes regex only, i don't think there is severe regression. also if there is regression, we can revert manually temporarily.
  denied services need to be restarted after fixing this.

  [Others]

  * Upstream commit:
   https://gitlab.com/apparmor/apparmor/commit/630cb2a981cdc731847e8fdaafc45bcd337fe747

  * commit 630cb2a981cdc731847e8fdaafc45bcd337fe747
  Author: Vincas Dargis <vindrg@xxxxxxxxx>
  Date:   Sat Sep 30 15:28:15 2017 +0300

      Allow seven digit pid

  
  * Affecting releases : TXZA
  --------------------------------------------------------------------------
  $ git describe --contains 630cb2a9
  v2.11.95~5^2

  $ rmadison apparmor
   apparmor | 2.8.95~2430-0ubuntu5       | trusty
   apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-security
   apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-updates
   apparmor | 2.10.95-0ubuntu2           | xenial
   apparmor | 2.10.95-0ubuntu2.6         | xenial-security
   apparmor | 2.10.95-0ubuntu2.7         | xenial-updates
   apparmor | 2.11.0-2ubuntu4            | zesty
   apparmor | 2.11.0-2ubuntu17           | artful
   apparmor | 2.11.0-2ubuntu18           | bionic           
  --------------------------------------------------------------------------

  * Revision : 
  http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3722

  [Original Description]

  If your kernel.pid_max sysctl is set higher than the default, say at 7
  digits, the @{pid} variable no longer matches all pids, causing some
  breakage in any profile using it.

  @{pid} is defined in /etc/apparmor.d/tunables:
  @{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}

  It only covers up to 6 digits.

  This Ubuntu 17.04 system has:
  kernel.pid_max = 4194303

  And is showing
  type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111

  Which should be matched by
  @{PROC}/sys/vm/overcommit_memory r,
  in /etc/apparmor.d/abstractions/libvirt-qemu

  I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04
  (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)

  I am aware this is a non-default configuration, but I think this
  should work.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1717714/+subscriptions