Python utils lack support for mount rules

Bug #1294825 reported by Tyler Hicks on 2014-03-19
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Tyler Hicks
apparmor (Ubuntu)

Bug Description

The new module does not handle mount rules and emits a traceback.

$ mkdir /tmp/profs
$ printf "profile romount {\n mount options=ro,\n}" > /tmp/profs/mount
$ sudo aa-enforce -d /tmp/profs /tmp/profs/mount
Traceback (most recent call last):
  File "./aa-enforce", line 30, in <module>
  File "/var/scm/apparmor.git/utils/apparmor/", line 153, in cmd_enforce
  File "/var/scm/apparmor.git/utils/apparmor/", line 2558, in read_profiles
    read_profile(profile_dir + '/' + file, True)
  File "/var/scm/apparmor.git/utils/apparmor/", line 2584, in read_profile
    profile_data = parse_profile_data(data, file, 0)
  File "/var/scm/apparmor.git/utils/apparmor/", line 3031, in parse_profile_data
    raise AppArmorException(_('Syntax Error: Unknown line found in file: %s line: %s') % (file, lineno + 1))
apparmor.common.AppArmorException: 'Syntax Error: Unknown line found in file: /tmp/profs/mount line: 2'

Tyler Hicks (tyhicks) on 2014-03-19
Changed in apparmor:
status: Triaged → In Progress
assignee: nobody → Tyler Hicks (tyhicks)
Tyler Hicks (tyhicks) on 2014-03-20
Changed in apparmor:
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.95~2430-0ubuntu3

apparmor (2.8.95~2430-0ubuntu3) trusty; urgency=medium

  [ Jamie Strandboge ]
  * debian/lib/apparmor/functions: properly calculate number of profiles in
    /var/lib/apparmor/profiles (LP: #1295816)
  * autostart aa-notify via /etc/xdg/autostart instead of /etc/X11/Xsession.d
    (LP: #1288241)
    - remove debian/notify/90apparmor-notify
    - add debian/notify/apparmor-notify.desktop
    - debian/apparmor-notify.install: adjust for the above
    - add debian/apparmor-notify.maintscript to remove 90apparmor-notify
  * debian/notify/notify.conf: use_group should be set to "sudo" instead of
    "admin" (LP: #1009666)

  [ Tyler Hicks ]
  * debian/patches/initialize-mount-flags.patch: Initialize the variables
    containing mount rule flags to zero. Otherwise, the parser may set
    unexpected bits in the mount flags field for rules that do not specify
    mount flags. The uninitialized mount flag variables may have caused
    unexpected AppArmor denials during mount mediation. (LP: #1296459)
  * debian/patches/fix-typo-in-dbus_write.patch: Fix a bug in the
    apparmor/ module that caused the utilities in the apparmor-utils
    package to write out network rules instead of dbus rules
  * debian/patches/limited-mount-rule-support.patch: Fix a bug in the
    apparmor/ module that caused the utilities in the apparmor-utils
    package to traceback when encountering a mount rule (LP: #1294825)
  * debian/patches/bare-capability-rule-support.patch: Fix a bug in the
    apparmor/ module that caused the utilities in the apparmor-utils
    package to traceback when encountering a bare capability rule
    (LP: #1294819)
  * debian/patches/check-config-for-sysctl.patch,
    debian/patches/increase-swap-size.patch: Fix bugs in the regression test
    suite that caused errors when running on ppc64el
  * debian/patches/test-v6-policy.patch,
    debian/patches/test-mount-mediation.patch: Improve the regression tests
    by increasing the mount rule test coverage
 -- Tyler Hicks <email address hidden> Thu, 27 Mar 2014 14:12:29 -0500

Changed in apparmor (Ubuntu):
status: Confirmed → Fix Released
Changed in apparmor:
milestone: none → 2.9.0
Steve Beattie (sbeattie) wrote :

Apparmor 2.9.0 has been released; closing.

Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers