Ubuntu
apparmor package

aa-genprof traceback with apparmor 2.8.95

Bug #1294797 reported by Jamie Strandboge
44
This bug affects 10 people
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Undecided
Unassigned
AppArmor 2.9.0
apparmor (Ubuntu)
Fix Released
Medium
Unassigned
Trusty
Fix Released
Medium
Marc Deslauriers

Bug Description

[impact]

This bug makes it difficult for trusty users to use the apparmor policy utilities.

[steps to reproduce]

See below

[regression potential]

This issue is being addressed by updating the python utilities to the version in apparmor 2.9.2 as tracked in bug 1449769. This represents are large change which would normally be risky; however, these changes are isolated to the python utils (so no changes to the policy parser/loader or enforcement), there are a large number of bugs that exist in the trusty version that make using the tools difficult, so it would be difficult to regress further, and the updated version includes many new unit tests to try to prevent from regressions from occurring.

[additional info]

The python utils testsuite is run as part of the test-apparmor.py test
script in lp:qa-regression-testing. The test-apparmor.py also has
additional basic usage tests to ensure that basic functionality is
maintained. These tests are run as part of the process fro each kernel
update.

[original description]

In a terminal, I run:

$ sudo aa-genprof /usr/bin/empathy
...
[(S)can system log for AppArmor events] / (F)inish

At this point, I start empathy, then stop it.

Now I go back to the terminal:
<press S>
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Traceback (most recent call last):
  File "/usr/sbin/aa-genprof", line 150, in <module>
    lp_ret = apparmor.do_logprof_pass(logmark, passno)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2240, in do_logprof_pass
    read_profiles()
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2558, in read_profiles
    read_profile(profile_dir + '/' + file, True)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2584, in read_profile
    profile_data = parse_profile_data(data, file, 0)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2689, in parse_profile_data
    filelist[file]['profiles'][profile][hat] = True
TypeError: 'bool' object does not support item assignment

If I run it again, I get a different traceback:
Traceback (most recent call last):
  File "/usr/sbin/aa-genprof", line 150, in <module>
    lp_ret = apparmor.do_logprof_pass(logmark, passno)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2240, in do_logprof_pass
    read_profiles()
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2558, in read_profiles
    read_profile(profile_dir + '/' + file, True)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2584, in read_profile
    profile_data = parse_profile_data(data, file, 0)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 3031, in parse_profile_data
    raise AppArmorException(_('Syntax Error: Unknown line found in file: %s line: %s') % (file, lineno + 1))
apparmor.common.AppArmorException: 'Syntax Error: Unknown line found in file: /etc/apparmor.d/zz-unconfined line: 3'

/etc/apparmor.d/zz-unconfined contains:
# v2 compatible wildly permissive profile
profile "zz_unconfined" {
  capability,
  network,
  /** rwlkm,
  /** pix,

  # TODO: when dbus hits:
  dbus,
}

See original description
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Here is /etc/apparmor and /etc/apparmor.d

Revision history for this message
Tyler Hicks (tyhicks) wrote :

The bug that tracks the second traceback is bug #1294819

Revision history for this message
Christian Boltz (cboltz) wrote :

Workaround: aa-autodep $program ; aa-genprof $program
(or just start aa-genprof $program a second time, this time it will work because it has done the aa-autodep stuff before crashing)

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Revision history for this message
Christian Boltz (cboltz) wrote :

The first backtrace is tracked in bug 1319829 (fix commited to bzr r2516), and bug #1294819 (for the second backtrace) was also fixed.

This means this bug is fixed :-)

Changed in apparmor:
status: New → Fix Committed
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
status: Confirmed → Fix Released
Changed in apparmor (Ubuntu Trusty):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Marc Deslauriers (mdeslaur)
Jamie Strandboge (jdstrand)
Changed in apparmor:
milestone: none → 2.9.0
Revision history for this message
Steve Beattie (sbeattie) wrote :

Apparmor 2.9.0 has been released; closing.

Changed in apparmor:
status: Fix Committed → Fix Released
Changed in apparmor (Ubuntu Trusty):
status: Triaged → Fix Released
Revision history for this message
Mathew Hodson (mhodson) wrote :

The fix has not been released for trusty, so that task should be changed back to Triaged.

apparmor is still 2.8.95~2430-0ubuntu5 in trusty

Seth Arnold (seth-arnold)
Changed in apparmor (Ubuntu Trusty):
status: Fix Released → Confirmed
Mathew Hodson (mhodson)
tags: added: trusty
Steve Beattie (sbeattie)
description: updated
Revision history for this message
Steve Beattie (sbeattie) wrote :

I have reproduced the traceback when profiling empathy with apparmor 2.8.95~2430-0ubuntu5.1 from trusty-updates, and can confirm that apparmor 2.8.95~2430-0ubuntu5.2 from trusty-proposed fixes the problem. Marking verification-done.

tags: added: verification-done
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.95~2430-0ubuntu5.2

---------------
apparmor (2.8.95~2430-0ubuntu5.2) trusty-proposed; urgency=medium

  * debian/patches/php5-Zend_semaphore-lp1401084.patch: allow php5
    abstraction access to Zend opcache files (LP: #1401084)
  * debian/patches/dnsmasq-lxc_networking-lp1403468.patch: update
    profile for lxc support (LP: #1403468)
  * debian/patches/profiles-texlive_font_generation-lp1010909.patch:
    allow generation of texlive fonts by sanitized-helpers
    (LP: #1010909)
  * debian/apport/source_apparmor.py: fix the apparmor apport hook
    so it does not raise an exception if a non-unicode character is
    found in /var/log/kern.log or in /var/log/syslog. This should
    work under python3 or python2.7 (LP: #1304447)
  * debian/patches/profiles-dovecot-updates-lp1296667.patch: update
    dovecot profiles to address several missing permissions.
    (LP: #1296667)
  * debian/patches/profiles-adjust_X_for_lightdm-lp1339727.patch:
    adjust X abstraction for LightDM xauthority location (LP: #1339727)
  * debian/patches/libapparmor-fix_memory_leaks-lp1340927.patch; fix
    memory leaks in log parsing component of libapparmor (LP: #1340927)
  * debian/patches/libapparmor-another_audit_format-lp1399027.patch:
    add support for another log format style (LP: #1399027)
  * debian/patches/tests-workaround_for_unix_socket_change-lp1425398.patch:
    work around apparmor kernel behavioral change in regression tests
    (LP: #1425398)
  * debian/control: add breaks on python3-apparmor against older
    apparmor-utils that used to be where python bits lived
    (LP: #1373259)
  * debian/patches/utils-update_to_2.9.2.patch: update the python
    utilities to the upstream 2.9.2 (LP: #1449769, incorporating a
    large number of fixes and improvements, including:
    - fix aa-genprof traceback with apparmor 2.8.95 (LP: #1294797)
    - fix aa-genprof crashing when selecting scan on Ubuntu 14.04 server
      (LP: #1319829)
    - make aa-logprof read profile instead of program binary
      (LP: #1317176, LP: #1324154)
    - aa-complain: don't traceback when marking multiple profiles
      (LP: #1378095)
    - make python tools able to parse mounts with UTF-8 non-ascii
      characters (LP: #1310598)

 -- Steve Beattie <email address hidden> Thu, 30 Apr 2015 12:18:08 -0700

Changed in apparmor (Ubuntu Trusty):
status: Confirmed → Fix Released
Revision history for this message
Adam Conrad (adconrad) wrote : Update Released

The verification of the Stable Release Update for apparmor has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Mathew Hodson (mhodson)
Changed in apparmor (Ubuntu):
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.