[apparmor] apparmor="KILLED" messages

Walter Hop security at spam.lifeforms.nl
Sat Jan 3 15:45:44 UTC 2015 

Hi John,

Thanks for looking into it!

>> Jan  2 20:45:30 ubuntutest kernel: [60168.840422] type=1400 audit(1420227930.887:5141): apparmor="KILLED" operation="change_hat" profile="/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT" pid=32342 comm="apache2" target="/usr/sbin/apache2”
>> 
> interesting, I would guess that apache is handing work over to other processes.
> 
> How changehat works is the process/thread enters an alternate confinement profile (hat), part of this processes is specifying a random token in addition to the profile to transition to. When the processes is ready to exit the confinement it needs to provide the same token that was used to enter the confinement.

This is nice to know! I always wondered how AppArmor would guard against arbitrary code calling change_hat.

> If the token is not matched the processes/thread is killed by the kernel with an apparmor="KILLED" message being sent to auditd.
> 
> The reason this is done is that the process change is under the control of the process/thread and if a an attack manages to penetrate the web app then it might be possible for it to try breaking out of confinement. So the requirement is that one attempt is allowed, otherwise the process will be treated as subverted and killed (there is no chance for a brute force or even guessing a small subset of the space, the random token must be known).

Okay, that does sound like an interesting case then. So it might be a mod_apparmor race condition/memory corruption manifesting as a corrupt token?

>> Configuration: Apache 2.4.10 in chroot, mod_apparmor compiled from 2.9.0 source, Ubuntu 12.04 LTS. 
>> 
> do you know the apache configuration, ie prefork, mpm, or even just which ubuntu apache packages are installed

Yes, sure! I run Apache in prefork mode using the ondrej (dotdeb) Apache/PHP PPA.

To rule out any problems with my existing box (which is quite complex with lots of custom config, a chroot, various hats for virtualhosts…) I created a minimal example on a clean install for debugging this issue. I also tried mod_apparmor 2.9.1. I still get a reliable reproduce on the clean install.

Here are the instructions to get the KILLED messages from a clean install: https://gist.github.com/lifeforms/dc4d16cb5c564f166daa <https://gist.github.com/lifeforms/dc4d16cb5c564f166daa>

(Note they also appear rarely when the machine is not under heavy load, but this generates them every time.)

I’d be glad to do some debugging; hopefully it’s a mod_apparmor rather than kernel issue. Is there a way to have mod_apparmor log the tokens for instance?

Thanks!
WH

-- 
Walter Hop | PGP key: https://lifeforms.nl/pgp

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150103/2e879833/attachment.html>

More information about the AppArmor mailing list