AppArmor breaks seccomp @ Apache mpm-itk
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Confirmed
|
Medium
|
Unassigned | ||
mailman (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Tested on Ubuntu 14.04 only- unsure about status on other platforms. MPM-itk features a seccomp filter that tries to see that parameters passed to setuid() are acceptable in order to hopefully prevent the application getting back root or assuming rights of some system user. This breaks when Apache is mediated by AppArmor - prctl() fails with a 'Permission denied' error. This problem can be replicated /only/ when the code in question lives in a shared library (demo attached) /not/ when built into the app. Irrespective of whether this behaviour is justified or not (I don't know?) it would be nice to have a way to address this.
root@bizarro:
root@bizarro:
root@bizarro:
root@bizarro:
-bash: ./derp: No such file or directory
root@bizarro:
root@bizarro:
./derp: error while loading shared libraries: libherp.so: cannot open shared object file: No such file or directory
root@bizarro:
Python 2.7.6 (default, Mar 22 2014, 22:59:56)
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from os import setuid
>>> setuid(1)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
OSError: [Errno 1] Operation not permitted
>>>
root@bizarro:
root@bizarro:
Installing seccomp filter failed (probably due to too old kernel); unable to restrict setuid privileges.
Python 2.7.6 (default, Mar 22 2014, 22:59:56)
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from os import setuid
>>> setuid(1)
>>>
Changed in mailman (Ubuntu): | |
status: | Confirmed → Invalid |
Changed in apparmor: | |
importance: | Undecided → Medium |
status: | New → Confirmed |
tags: | added: aa-kernel |
I add mailman, as I think this issue affects mailman's python scripts when running with apache-mpm-itk.
Running any of the python's scripts on a site protected with apache-mpm-itk gives a "Operation not permitted" error