Default apache prefork profile doesn't allow chown

Bug #1210514 reported by Nick Moffitt
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Triaged
Low
Tyler Hicks
apparmor (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

About every other day, I would see this in my kern.log:

    kernel: [11118879.416945] type=1502 audit(1375943374.913:25651799): operation="capable" pid=20505 parent=28609 profile="/usr/lib/apache2/mpm-prefork/apache2" name="chown"

It would seem that the master process is trying to chown something for the benefit of one of the worker processes (who have dropped privilege), and this is part of the ordinary function of Apache.

When I spoke to jdstrand, he seemed to agree with my workaround of dropping a "capability chown," into a file in /etc/apparmor.d/apache2.d/ on all my systems.

Still, it seems like a useful thing to have in the default as shipped.

Tags: aa-policy

Related branches

Changed in apparmor (Ubuntu):
status: New → Triaged
importance: Undecided → Low
tags: added: policy
tags: added: aa-policy
removed: policy
Changed in apparmor:
importance: Undecided → Low
status: New → Triaged
Tyler Hicks (tyhicks)
Changed in apparmor:
assignee: nobody → Tyler Hicks (tyhicks)
Steve Beattie (sbeattie)
Changed in apparmor:
milestone: none → 2.11
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (4.4 KiB)

This bug was fixed in the package apparmor - 2.10.95-0ubuntu1

---------------
apparmor (2.10.95-0ubuntu1) xenial; urgency=medium

  * Update to apparmor 2.10.95 (2.11 Beta 1) (LP: #1561762)
    - Allow Apache prefork profile to chown(2) files (LP: #1210514)
    - Allow deluge-gtk and deluge-console to handle torrents opened in
      browsers (LP: #1501913)
    - Allow file accesses needed by some programs using libnl-3-200
      (Closes: #810888)
    - Allow file accesses needed on systems that use NetworkManager without
      resolvconf (Closes: #813835)
    - Adjust aa-status(8) to work without python3-apparmor (LP: #1480492)
    - Fix aa-logprof(8) crash when operating on files containing multiple
      profiles with certain rules (LP: #1528139)
    - Fix log parsing crashes, in the Python utilities, caused by certain file
      related events (LP: #1525119, LP: #1540562)
    - Fix log parsing crasher, in the Python utilities, caused by certain
      change_hat events (LP: #1523297)
    - Improve Python 2 support of the utils by fixing an aa-logprof(8) crasher
      when Python 3 is not available (LP: #1513880)
    - Send aa-easyprof(8) error messages to stderr instead of stdout
      (LP: #1521400)
    - Fix aa-autodep(8) failure when the shebang line of a script contained
      parameters (LP: #1505775)
    - Don't depend on the system logprof.conf when running utils/ build tests
      (LP: #1393979)
    - Fix apparmor_parser(8) bugs when parsing profiles that use policy
      namespaces in the profile declaration or profile transition targets
      (LP: #1540666, LP: #1544387)
    - Regression fix for apparmor_parser(8) bug that resulted in the
      --namespace-string commandline option being ignored causing profiles to
      be loaded into the root policy namespace (LP: #1526085)
    - Fix crasher regression in apparmor_parser(8) when the parser was asked
      to process a directory (LP: #1534405)
    - Fix bug in apparmor_parser(8) to honor the specified bind flags remount
      rules (LP: #1272028)
    - Support tarball generation for Coverity scans and fix a number of issues
      discovered by Coverity
    - Fix regression test failures on s390x systems (LP: #1531325)
    - Adjust expected errno values in changeprofile regression test
      (LP: #1559705)
    - The Python utils gained support for ptrace and signal rules
    - aa-exec(8) received a rewrite in C
    - apparmor_parser(8) gained support for stacking multiple profiles, as
      supported by the Xenial kernel (LP: #1379535)
    - libapparmor gained new public interfaces, aa_stack_profile(2) and
      aa_stack_onexec(2), allowing applications to utilize the new kernel
      stacking support (LP: #1379535)
  * Drop the following patches since they've been incorporated upstream:
    - aa-status-dont_require_python3-apparmor.patch
    - r3209-dnsmasq-allow-dash
    - r3227-locale-indep-capabilities-sorting.patch
    - r3277-update-python-abstraction.patch
    - r3366-networkd.patch,
    - tests-fix_sysctl_test.patch
    - parser-fix-cache-file-mtime-regression.patch
    - parser-verify-cache-file-mtime.patch
    - parser-run-caching-tests-without-apparmorfs.patch
    - pa...

Read more...

Changed in apparmor (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.