AppArmor

reloading profile not possible due parser being memory hungry

Bug #590015 reported by Arkadiusz Miśkiewicz
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Undecided
Unassigned

Bug Description

apparmor 2.5, apparmor-parser from bzr; kernel 2.6.33.5 with apparmor 2.5 tarball patch

# service apparmor reload
Przeładowanie usługi apparmor...................................................................................................................[ AKTYWUJĘ ]
/sbin/apparmor_parser: zamiana "HAT_owner_46291" nie powiod?a si?.Brak pami?ci

where in english it means: change "HAT_owner_46291" failed: Out of memory

# free
             total used free shared buffers cached
Mem: 6193244 5314312 878932 0 0 1440604
-/+ buffers/cache: 3873708 2319536

I need to kill main application on this server (very busy apache) and then do reload to get it succeed (or simply strace reload process - then it also succeeds).

Previous version (2.3.1286) had no such problem.

I have only one policy - it applies to httpd daemon. That policy contains over 1300 hats and every hat includes the same common hat abstraction file.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Do any of the hats grant privileges to resources that are specific to that hat?

When I hear of 1300 hats all containing identical information, I think perhaps your Apache mod_apparmor needs to be using AAHatName or AADefaultHatName or both in your Apache configuration file. (mod_apparmor(8) for details.)

The idea being that you could have one application, say phpBB served from /phpBB/ and using the phpBB hat, drupal served from /drupal/ using a drupal hat, and four specific cgi files with the URI-generated hats. It doesn't matter how many URIs phpBB and drupal use internally, they should probably be treated as single applications for the purposes of AppArmor. (Just about anything interesting will be needing access to a database, and once you grant access to the database socket, you've granted access for the entire application. So keeping the applications separated will keep your drupal from infecting your phpBB, or more likely the other way around. But keeping phpBB user pages from messing with phpBB admin data will be pretty hard.)

(Of course, 800 megs really does seem like it should be enough memory to compile just about any reasonable policy, and there's another 1.4 gigs that could have been scavenged if it were necessary.)

Revision history for this message
Arkadiusz Miśkiewicz (arekm) wrote :

The hats aren't identical.

Each virtual host has its own hat with write/read permissions custom for that vhost. The rest of permissions is common (like hat having access to php, write to apache logs, read some configs, access to /bin etc).

Common permissions are in "abstraction" file and each hat includes that common file + specifies few custom permissions.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Okay, then you've already gotten the low hanging fruit. Sorry for the distraction :)

Revision history for this message
Arkadiusz Miśkiewicz (arekm) wrote :

Example policy showing the problem is available in another bug: https://bugs.launchpad.net/apparmor/+bug/590113

Revision history for this message
Arkadiusz Miśkiewicz (arekm) wrote :
Download full text (28.2 KiB)

Sometimes the problem manifests in much worse way:

[293399.078572] Call Trace:
[303111.481464] audit: audit_backlog=70 > audit_backlog_limit=64
[303111.481469] audit: audit_lost=2956 audit_rate_limit=0 audit_backlog_limit=64
[303111.481473] audit: backlog limit exceeded
[303111.481476] AppArmor: (-12) Unable to log event of type (1505)
[313907.562395] audit: audit_backlog=70 > audit_backlog_limit=64
[313907.562400] audit: audit_lost=2957 audit_rate_limit=0 audit_backlog_limit=64
[313907.562403] audit: backlog limit exceeded
[313907.562406] AppArmor: (-12) Unable to log event of type (1505)
[324710.138563] audit: audit_backlog=70 > audit_backlog_limit=64
[324710.138568] audit: audit_lost=2958 audit_rate_limit=0 audit_backlog_limit=64
[324710.138571] audit: backlog limit exceeded
[324710.138574] AppArmor: (-12) Unable to log event of type (1505)
[335502.266552] audit: audit_backlog=70 > audit_backlog_limit=64
[335502.266556] audit: audit_lost=2959 audit_rate_limit=0 audit_backlog_limit=64
[335502.266559] audit: backlog limit exceeded
[335502.266561] AppArmor: (-12) Unable to log event of type (1505)
[341230.383729] possible SYN flooding on port 80. Sending cookies.
[341290.583784] possible SYN flooding on port 80. Sending cookies.
[341350.587621] possible SYN flooding on port 80. Sending cookies. ...

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Is this still a problem with newer AppArmor? (eg, 2.8 or 2.9)

Changed in apparmor:
status: New → Incomplete
Revision history for this message
Arkadiusz Miśkiewicz (arekm) wrote :

I didn't see this problem anymore.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks!

Changed in apparmor:
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.