Hi Christian, thanks for replying :) > On 23 Mar 2015, at 00:23, Christian Boltz <appar...@cboltz.de> wrote: > > No, this was not solved yet - and it seems to happen for various types > of _static_ files (css, js, pictures). > OTOH, I never had a log entry for *.php files.
I tried getting an audit for a .php file and I did get an entry today on another server for /tmp/.ZendSem.xxxxxx when I quickly refreshed a PHP page a few times from an iPhone: apparmor="DENIED" operation=“file_lock" profile="/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT" name="/tmp/.ZendSem.NyRiVT” pid=1944 comm="apache2" requested_mask="k" denied_mask="k" fsuid=33 ouid=0 This is an artifact of the PHP opcache extension, so this suggests to me that also some part of mod_php5 in a vhost does some work from HANDLING_UNTRUSTED_INPUT. Probably, the file type is not pertinent but the request must be made in a certain time window while the client still has an earlier HTTP keepalive connection open. > Maybe you can sniff the HTTP traffic (using tcpdump or wireshark) to > find the exact sequence you have to "say" when talking to port 80? I saved a packet trace but I haven’t had time to look at it yet. For now I’ve disabled keepalive on all mod_apparmor machines. It could be some days before I have time to look at it more closely, but if it’s helpful to have a script that reproduces it programmatically, I’ll try to make one. However, refreshing pages on an iPhone for a few seconds gives an easy reproduction on 2 servers for me. (Another server interestingly seems unaffected. The unaffected server is a VM on a slower SAN, so maybe its timings are different?) -- Walter Hop | PGP key: https://lifeforms.nl/pgp
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
