[apparmor] apparmor="KILLED" messages
John Johansen
john.johansen at canonical.com
Sat Jan 3 05:35:20 UTC 2015
On 01/02/2015 02:26 PM, Walter Hop wrote:
> Hi all,
>
> I'm new to AppArmor. So far I'm loving it, and one of my new year’s resolutions is to confine all the things!
>
> I am needing some reassurance on one weird log entry I’m seeing with Apache. AppArmor and mod_apparmor work great with it, but I noticed that sometimes I get an apparmor="KILLED" log entry such as the following:
>
> Jan 2 20:45:30 ubuntutest kernel: [60168.840422] type=1400 audit(1420227930.887:5141): apparmor="KILLED" operation="change_hat" profile="/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT" pid=32342 comm="apache2" target="/usr/sbin/apache2"
>
> It looks sorta scary, but from my tests, AppArmor is functioning normally. I reproduced the message by overloading Apache with a stress test, and then afterwards I see it happening at regular intervals as Apache throttles down and kills the worker processes that it no longer needs. (There are no DENIED messages.)
>
interesting, I would guess that apache is handing work over to other processes.
How changehat works is the process/thread enters an alternate confinement profile (hat), part of this processes is specifying a random token in addition to the profile to transition to. When the processes is ready to exit the confinement it needs to provide the same token that was used to enter the confinement. If the token is not matched the processes/thread is killed by the kernel with an apparmor="KILLED" message being sent to auditd.
The reason this is done is that the process change is under the control of the process/thread and if a an attack manages to penetrate the web app then it might be possible for it to try breaking out of confinement. So the requirement is that one attempt is allowed, otherwise the process will be treated as subverted and killed (there is no chance for a brute force or even guessing a small subset of the space, the random token must be known).
> So, it seems the apparmor="KILLED" message might be benign in this case, but before proceeding with putting AppArmor into production, I’d like to know: Can I safely ignore these messages, or do they warrant debugging?
>
they warrant debugging. That said I expect its a corner case and as long as the load on the server isn't such that you will hit this situation, it would be okay to move into production. The worst case I see with this is an attacker being able to DOS your machine (more severely than was already needed to get apache to start killing processes.
> Configuration: Apache 2.4.10 in chroot, mod_apparmor compiled from 2.9.0 source, Ubuntu 12.04 LTS.
>
do you know the apache configuration, ie prefork, mpm, or even just which ubuntu apache packages are installed
> Thanks for any input!
>
> WH
>
> --
> Walter Hop | PGP key: https://lifeforms.nl/pgp
>
>
>
More information about the AppArmor
mailing list