aa-complain crashed with apparmor.common.AppArmorException in get_profile_flags(): '/etc/apparmor.d/usr.bin.chromium-browser contains no profile'

I suspect that the fact that the profile is named usr.bin.chromium-browser but contains a profile for the /usr/lib/chromium-browser/chromium-browser profile is confusing the tools here.

I'm also experiencing this, but not with the chromium-browser profile. I'm still trying to learn AppArmor, and am trying to create a profile for Spotify. I have attached the profile. I get this output:

$ sudo aa-complain /opt/spotify/spotify-client/spotify
Setting /opt/spotify/spotify-client/spotify to complain mode.
Traceback (most recent call last):
  File "/usr/sbin/aa-complain", line 30, in <module>
    tool.cmd_complain()
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 178, in cmd_complain
    apparmor.set_complain(profile, program)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 267, in set_complain
    change_profile_flags(filename, program, 'complain', True)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 606, in change_profile_flags
    old_flags = get_profile_flags(filename, program)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 603, in get_profile_flags
    raise AppArmorException(_('%s contains no profile') % filename)
apparmor.common.AppArmorException: '/etc/apparmor.d/opt.spotify.spotify-client.spotify contains no profile'

As far as I can see the profile's filename and the name of the binary in the profile match.

I wonder if the quotes around the executable name are the cause of this problem?

MattJ, in the meantime, you can replace this line:

"/opt/spotify/spotify-client/spotify" {

with:

"/opt/spotify/spotify-client/spotify" (complain) {

and then re-load the profile with e.g.:

sudo apparmor_parser --replace /etc/apparmor.d/opt.spotify.spotify-client.spotify

Thanks for the report

Aha! I can confirm that removing the quotes indeed did the trick. They were put there by aa-easyprof.

And thanks for the tip about '(complain)' :)

Can you please try with this patch? (Apply it to /usr/lib/python3/dist-packages/apparmor/aa.py)

It should solve the problem, but I gave it only 5 minutes of testing.

Notes and related bugs (with the patch applied):
- aa-complain fails to add the complain flag as long as the quotes exist - while reporting success :-/
- the quotes will be removed when saving the profile (for example with aa-cleanprof)
- we should test the patch with a profile/binary that contains spaces (the quotes must be preserved in that case)
- there are other regexes that handle quotes: RE_PROFILE_ALIAS, RE_PROFILE_CHANGE_HAT, RE_PROFILE_HAT_DEF - they probably also need to be changed

Here's v2 of the patch that fixes the issue with aa-complain. (It turned out that set_profile_flags() uses its own regex, which needed a similar fix.)

Compared to v1, I also fixed the handling of profile "/foo" - that's the ("??.+?"??) -> "?(.+?)"?? change. Besides the obvious move of the parenthesis, also note the removed questionmark which is an important part of the fix.

The other notes from my previous comment/patch still apply.

The attachment "quick patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Patch commited to brz r2536.

> Notes and related bugs (with the patch applied):
> - aa-complain fails to add the complain flag as long as the quotes exist - while reporting success :-/

Works now.

> - the quotes will be removed when saving the profile (for example with aa-cleanprof)
> - we should test the patch with a profile/binary that contains spaces (the quotes must be preserved in that case)

Tested, works - quotes will be kept (only) if needed.

> - there are other regexes that handle quotes: RE_PROFILE_ALIAS, RE_PROFILE_CHANGE_HAT, RE_PROFILE_HAT_DEF - they probably also need to be changed

Reported as https://bugs.launchpad.net/apparmor/+bug/1332292 for further handling.

In other words: nothing left for this bugreport, therefore closing as fixed.

Apparmor 2.9.0 has been released; closing.

The fix has not been released for trusty, so that task should be changed back to Triaged.

apparmor is still 2.8.95~2430-0ubuntu5.1 in trusty

This issue still exists on trusty.

$ apt list apparmor
Listing... Done
apparmor/trusty-proposed,now 2.8.95~2430-0ubuntu5.3 amd64 [installed,automatic]

$ sudo aa-autodep /usr/bin/chromium-browser
Profile for /usr/bin/chromium-browser already exists - skipping.
$ sudo aa-genprof /usr/bin/chromium-browser
Traceback (most recent call last):
  File "/usr/sbin/aa-genprof", line 107, in <module>
    apparmor.helpers[program] = apparmor.get_profile_flags(profile_filename, program)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 613, in get_profile_flags
    raise AppArmorException(_('%s contains no profile') % filename)
apparmor.common.AppArmorException: '/etc/apparmor.d/usr.bin.chromium-browser contains no profile'
$ sudo aa-complain /usr/bin/chromium-browser
Setting /usr/bin/chromium-browser to complain mode.
Traceback (most recent call last):
  File "/usr/sbin/aa-complain", line 30, in <module>
    tool.cmd_complain()
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 164, in cmd_complain
    apparmor.set_complain(profile, program)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 275, in set_complain
    change_profile_flags(filename, program, 'complain', True)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 616, in change_profile_flags
    old_flags = get_profile_flags(filename, program)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 613, in get_profile_flags
    raise AppArmorException(_('%s contains no profile') % filename)
apparmor.common.AppArmorException: '/etc/apparmor.d/usr.bin.chromium-browser contains no profile'

The bug has no debdiff to review and isn't SRU compliant (not impact/test case/regression description), doesn't seem it's waiting on sponsoring but needs work first, unsubscribing sponsors, please subscribe them back once there is an update ready for upload

Should be fixed in Trusty now that the new version has been backported.

apparmor (2.10.95-0ubuntu2.5~14.04.1) trusty; urgency=medium

  * Bring apparmor 2.10.95-0ubuntu2.5, from Ubuntu 16.04, to Ubuntu 14.04.
    - This allows for proper snap confinement on Ubuntu 14.04 when using the
      hardware enablement kernel (LP: #1641243)