AppArmor

aa-easyprof shouldn't verify existence of abstraction files during profile generation

Bug #1521031 reported by Tyler Hicks on 2015-11-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	Fix Released	Medium	Tyler Hicks

Bug Description

I don't feel like aa-easyprof should be verifying that an abstraction file exists at profile generation time. The reason is that aa-easyprof could be run as part of the package build stage, prior to the package install stage, but the abstractions specified with the --abstractions=ABSTRACTIONS option (or in the manifest JSON) will not be installed until the package install stage.

In other words, the existence of a system-wide abstraction doesn't need to be verified as part of the profile generation. It only needs to exist when the profile is compiled.

Current output:

$ aa-easyprof --no-verify --profile-name=foo --abstractions=DNE
ERROR: '/etc/apparmor.d/abstractions/DNE does not exist'

Desired output:

$ aa-easyprof --no-verify --profile-name=foo --abstractions=DNE
# vim:syntax=apparmor
# AppArmor policy for foo
# ###AUTHOR###
# ###COPYRIGHT###
# ###COMMENT###

#include <tunables/global>

# No template variables specified

profile "foo" {
#include <abstractions/base>

# Specified abstractions
#include <abstractions/DNE>

# No policy groups specified

# No read paths specified

# No write paths specified
}

See original description

Related branches

lp:apparmor/2.12

Tyler Hicks (tyhicks) on 2015-11-30

description:

updated

Revision history for this message

Christian Boltz (cboltz) wrote on 2016-03-17:

This also breaks make check if the abstractions are not in /etc/apparmor.d/

Example output sniplet from make check:

ERROR: test_output_directory_multiple (__main__.T)
Test output_directory (multiple)
----------------------------------------------------------------------
Traceback (most recent call last):
File "test-aa-easyprof.py", line 2277, in test_output_directory_multiple
   easyp.output_policy(params, dir=out_dir)
File "/tmp/apparmor-2.10/utils/test/easyprof.py", line 672, in output_policy
   policy = self.gen_policy(**params)
File "/tmp/apparmor-2.10/utils/test/easyprof.py", line 613, in gen_policy
   s += "\n%s%s" % (prefix, self.gen_abstraction_rule(i))
File "/tmp/apparmor-2.10/utils/test/easyprof.py", line 511, in gen_abstraction_rule
   raise AppArmorException("%s does not exist" % p)
AppArmorException: u'/etc/apparmor.d/abstractions/gnome does not exist'

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2017-02-09:

A new fix for this bug, which is quite a bit different than what I originally envisioned, has been sent to the list: https://lists.ubuntu.com/archives/apparmor/2017-February/010531.html

I think the newly proposed fix is the proper solution.

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2017-03-02:

Committed as r3638

Changed in apparmor:
status:	In Progress → Fix Committed

Revision history for this message

Christian Boltz (cboltz) wrote on 2018-04-22:

The fix is included in the 2.13 release.

Changed in apparmor:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.