On Sat, Jul 18, 2015 at 06:15:51PM +0200, Walter Hop wrote: > > Hi Walter, > > > > Anything new with this? I have a similar hat mismatch, but I've never been > > able to reproduce it. Did you manage to get strace output? > > Hi Kees, > > I did manage to minimize my case (e.g. use a simple ‘hello world' instead of > Wordpress) and still reproduce. I have strace output for a successful run > versus a failing run, with the same sequence and timing of of client requests.
Thanks for doing this! I haven't been able to do any more testing on my end because I've hit a kernel bug with AppArmor under mod_apparmor. I hope to get back to looking at your straces once I have something to test with again. :) > The traces are huge and I didn’t find a good tool to present them (like a > sideways diff HTML generator), so I forgot about them. But they are here (I > replaced some variables like the pid to lower the number of uninteresting > diffs): > http://lf.ms/apparmor/strace-ok.txt <http://lf.ms/apparmor/strace-ok.txt> > http://lf.ms/apparmor/strace-fail.txt <http://lf.ms/apparmor/strace-fail.txt> On a quick look, it just seems like the failed strace simply doesn't do the changehat it needs to. :( > The Apache install is not completely minimal; there is still some unnecessary > ‘noise’ in the traces from ModSecurity. Its delays however make reproduction > much easier for me. When I disabled ModSec rules, I could reproduce much less > reliably, like 1 in 100 tries, so I never got a good trace in that state. Interesting! > PS: I also talked to a developer of an (unrelated) Apache module. He was > quite skeptical about using the log_transaction hook in the way that we rely > on for changing hats back. I didn’t find more appropriate hooks from a quick > look in Apache source, but if this hook turns out to be unreliable, maybe we > could try going on the Apache modules dev list and see if a more reliable > hook can be added which is guaranteed to fire at a useful time. Since the > request lifecycle is also undergoing architectural changes with mod_h2 > coming, maybe the module will require a bit of work anyway to be future > proof… But as I understood it, this shouldn’t be a whole lot. Yeah, I haven't looked at the source myself yet. It seems adding a hook would be a good way forward, though. > I’ll be happy to invest more time if I can be useful. Thanks and sorry for the giant delay in my reply! :) -Kees -- Kees Cook -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
