Python utils lack support for pivot_root rules

Bug #1298678 reported by Tyler Hicks on 2014-03-27
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Medium
Tyler Hicks
apparmor (Ubuntu)
Medium
Tyler Hicks

Bug Description

aa.py doesn't support pivot_root rules and emits a traceback when encountering them:

$ mkdir /tmp/profs
$ printf "profile pr {\n pivot_root /other,\n }" > /tmp/profs/pr
$ sudo aa-enforce -d /tmp/profs /tmp/profs/pr
Traceback (most recent call last):
  File "/usr/sbin/aa-enforce", line 30, in <module>
    tool.cmd_enforce()
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 153, in cmd_enforce
    apparmor.read_profiles()
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2564, in read_profiles
    read_profile(profile_dir + '/' + file, True)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2590, in read_profile
    profile_data = parse_profile_data(data, file, 0)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 3063, in parse_profile_data
    raise AppArmorException(_('Syntax Error: Unknown line found in file: %s line: %s') % (file, lineno + 1))
apparmor.common.AppArmorException: 'Syntax Error: Unknown line found in file: /tmp/profs/pr line: 2'
Error in sys.excepthook:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/apport_python_hook.py", line 103, in apport_excepthook
    pr.add_proc_info(extraenv=['PYTHONPATH', 'PYTHONHOME'])
  File "/usr/lib/python3/dist-packages/apport/report.py", line 546, in add_proc_info
    ret = self.get_logind_session(pid)
  File "/usr/lib/python3/dist-packages/apport/report.py", line 1593, in get_logind_session
    if len(my_cgroup) < 2:
UnboundLocalError: local variable 'my_cgroup' referenced before assignment

Original exception was:
Traceback (most recent call last):
  File "/usr/sbin/aa-enforce", line 30, in <module>
    tool.cmd_enforce()
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 153, in cmd_enforce
    apparmor.read_profiles()
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2564, in read_profiles
    read_profile(profile_dir + '/' + file, True)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2590, in read_profile
    profile_data = parse_profile_data(data, file, 0)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 3063, in parse_profile_data
    raise AppArmorException(_('Syntax Error: Unknown line found in file: %s line: %s') % (file, lineno + 1))
apparmor.common.AppArmorException: 'Syntax Error: Unknown line found in file: /tmp/profs/pr line: 2'

Related branches

Tyler Hicks (tyhicks) on 2014-03-27
Changed in apparmor (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Launchpad Janitor (janitor) wrote :
Download full text (3.3 KiB)

This bug was fixed in the package apparmor - 2.8.95~2430-0ubuntu5

---------------
apparmor (2.8.95~2430-0ubuntu5) trusty; urgency=medium

  * debian/control: add versioned Breaks to apparmor for lxc, libvirt-bin,
    lightdm and apparmor-easyprof-ubuntu

apparmor (2.8.95~2430-0ubuntu4) trusty; urgency=medium

  [ John Johansen, Steve Beattie ]
  * Add userspace support for AppArmor signals and ptrace mediation
    (LP: #1298611)
    + debian/patches/mediate-signals.patch,
      debian/patches/change-signal-syntax.patch: Parse signal rules with
      apparmor_parser. See the apparmor.d(5) man page for syntax details.
    + debian/patches/change-ptrace-syntax.patch,
      debian/patches/mediate-ptrace.patch: Parse ptrace rules with
      apparmor_parser. See the apparmor.d(5) man page for syntax details.
    + debian/patches/test-signal-rules.patch,
      debian/patches/test-ptrace-rules.patch,
      debian/patches/update-tests-for-new-semantics.patch: Update existing
      tests and add new tests for signal and ptrace mediation
    + debian/patches/fix-garbage-in-preprocessor-output.patch: Fix bug causing
      apparmor_parser preprocessor output to contain garbage after include
      statements
    + debian/patches/fix-double-comma-in-preprocessor-output.patch: Fix bug
      causing apparmor_parser preprocessor output to contain double commas
      after some rules
    + debian/patches/symtab-tests-and-seenlist-bug.patch,
      debian/patches/add-profile-name-variable.patch: Add ${profile_name}
      variable for use in profiles when rules need to specify the current
      profile's name. This is useful for signal and ptrace rules that specify
    + debian/patches/fix-names-treated-as-condlistid.patch: Fix
      apparmor_parser bug that caused mount and dbus rules to fail for sets of
      values

  [ Jamie Strandboge ]
  * debian/patches/update-base-abstraction-for-signals-and-ptrace.patch:
    Adjust the base abstraction for signals and ptrace mediation. Profiles
    that use the base abstraction can deny any of the granted permissions to
    achieve tighter confinement.
  * debian/patches/manpage-signal-ptrace.patch: Update the apparmor.d man
    page to document signal rules, ptrace rules, and variables for use in
    AppArmor profiles
  * debian/patches/dnsmasq-libvirtd-signal-ptrace.patch: Update the dnsmasq
    profile to allow libvirtd to send signals to and ptrace read the dnsmasq
    process
  * debian/patches/update-chromium-browser.patch: Adjust the chromium-browser
    profile for permissions needed in newer chromium-browser versions and add
    the rules needed for AppArmor ptrace mediation

  [ Tyler Hicks ]
  * Add new rule type support to aa.py to fix tracebacks when using the Python
    utilities in apparmor-utils on systems with AppArmor profiles containing
    previously unsupported rule types
    - debian/patches/python-utils-file-support.patch: Support path rules
      containing the "file" prefix (LP: #1295346)
    - debian/patches/python-utils-signal-support.patch: Parse and write signal
      rules (LP: #1300316)
    - debian/patches/python-utils-ptrace-support.patch: Parse and write ptrace
      rules (LP: #1300317)...

Read more...

Changed in apparmor (Ubuntu):
status: Triaged → Fix Released
Tyler Hicks (tyhicks) on 2014-04-04
Changed in apparmor:
assignee: nobody → Tyler Hicks (tyhicks)
Changed in apparmor (Ubuntu):
assignee: nobody → Tyler Hicks (tyhicks)
Changed in apparmor:
status: Triaged → In Progress
Changed in apparmor:
milestone: none → 2.9.0
Christian Boltz (cboltz) wrote :

This bug is fixed (just tested with current bzr) - looks like nobody closed it ;-)

Changed in apparmor:
status: In Progress → Fix Committed
Steve Beattie (sbeattie) wrote :

Apparmor 2.9.0 has been released; closing.

Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers