> Hi Walter, > > Anything new with this? I have a similar hat mismatch, but I've never been > able to reproduce it. Did you manage to get strace output?
Hi Kees, I did manage to minimize my case (e.g. use a simple ‘hello world' instead of Wordpress) and still reproduce. I have strace output for a successful run versus a failing run, with the same sequence and timing of of client requests. The traces are huge and I didn’t find a good tool to present them (like a sideways diff HTML generator), so I forgot about them. But they are here (I replaced some variables like the pid to lower the number of uninteresting diffs): http://lf.ms/apparmor/strace-ok.txt <http://lf.ms/apparmor/strace-ok.txt> http://lf.ms/apparmor/strace-fail.txt <http://lf.ms/apparmor/strace-fail.txt> The Apache install is not completely minimal; there is still some unnecessary ‘noise’ in the traces from ModSecurity. Its delays however make reproduction much easier for me. When I disabled ModSec rules, I could reproduce much less reliably, like 1 in 100 tries, so I never got a good trace in that state. PS: I also talked to a developer of an (unrelated) Apache module. He was quite skeptical about using the log_transaction hook in the way that we rely on for changing hats back. I didn’t find more appropriate hooks from a quick look in Apache source, but if this hook turns out to be unreliable, maybe we could try going on the Apache modules dev list and see if a more reliable hook can be added which is guaranteed to fire at a useful time. Since the request lifecycle is also undergoing architectural changes with mod_h2 coming, maybe the module will require a bit of work anyway to be future proof… But as I understood it, this shouldn’t be a whole lot. I’ll be happy to invest more time if I can be useful. Cheers! WH -- Walter Hop | PGP key: https://lifeforms.nl/pgp
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
