On 08/07/2013 05:29 AM, azurIt wrote:
> Hi,
>
> i'm trying to use mod_apparmor in Apache but every request is creating new
> profile inside kernel, which looks like this:
> /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1001
> /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1003
> /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1005
> /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1007
> /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1009
>
> and so on. There are TONS of such profile after few weeks of running:
> 42775 profiles are in complain mode.
>
> Am I doing something wrong?
>
your profile is in complain mode and it is not finding the requested
hat on its first attempt.
Basically complain mode in apparmor is a learning mode instead of
rejecting requests that don't have permission it logs but allows
them (complains). Domain transitions are special in that when the
requested domain doesn't exist it could be because it needs to
be created yet, or it could be that the request needs to be
merged into the current profile. So apparmor creates a new null-XXX
profile that is used to track this request.
These request profiles are piling up because there is a bug where
null-XXX profiles are not being garbage collected when no longer
in use.
Change the profile into enforce mode, using the aa-enforce tool
on the file your apache profile is in (likely)
aa-enforce /etc/apparmor.d/usr.lib.apache2.mpm-itk.appache2
or by manually adjusting be either deleting the symlink (if it
exists) to the profile file in
/etc/apparmor.d/complain
or by either manually editing the profile to removing the complain
flag, eg.
/usr/lib/apache2/mpm-itk/appache2 (complain) {...}
would become
/usr/lib/apache2/mpm-itk/appache2 {...}
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
