AppArmor

aa-autodep crashes with KeyError: 'abstractions/bash'

Bug #1781660 reported by Yves Trudeau on 2018-07-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	New	Undecided	Unassigned

Bug Description

Looks like any bash scripts cause an error like this one:

root@BlogApparmor1:~# aa-autodep /usr/bin/mysqld_safe
Traceback (most recent call last):
  File "/usr/sbin/aa-autodep", line 36, in <module>
    tool.cmd_autodep()
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 196, in cmd_autodep
    apparmor.autodep(program)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 593, in autodep
    profile_data = create_new_profile(pname)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 444, in create_new_profile
    handle_binfmt(local_profile[localfile], interpreter_path)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 377, in handle_binfmt
    if not is_known_rule(profile, 'file', library_rule):
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 3384, in is_known_rule
    if include[incname][incname].get(rule_type, False):
KeyError: 'abstractions/bash'

An unexpected error occoured!

Revision history for this message

Yves Trudeau (y-trudeau) wrote on 2018-07-13:

apparmor-bugreport-6a0z5vpw.txt Edit (8.9 KiB, text/plain)

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2018-07-13:

Hello Yves, does the bash abstraction exist on your system?

ls -l /etc/apparmor.d/abstractions/bash

Thanks

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2018-07-17:

Download full text (10.4 KiB)

I think I've recreated this bug locally:

sarnold@hunt:~/bin$ vim dnsbl
sarnold@hunt:~/bin$ chmod 755
chmod: missing operand after ‘755’
Try 'chmod --help' for more information.
sarnold@hunt:~/bin$ chmod 755 dnsbl
sarnold@hunt:~/bin$ sudo aa-autodep dnsbl
[sudo] password for sarnold:
Traceback (most recent call last):
  File "/usr/sbin/aa-autodep", line 36, in <module>
    tool.cmd_autodep()
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 196, in cmd_autodep
    apparmor.autodep(program)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 593, in autodep
    profile_data = create_new_profile(pname)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 444, in create_new_profile
    handle_binfmt(local_profile[localfile], interpreter_path)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 377, in handle_binfmt
    if not is_known_rule(profile, 'file', library_rule):
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 3384, in is_known_rule
    if include[incname][incname].get(rule_type, False):
KeyError: 'abstractions/ruby'

An unexpected error occoured!

For details, see /tmp/apparmor-bugreport-x28ydvz6.txt
Please consider reporting a bug at https://bugs.launchpad.net/apparmor/
and attach this file.
sarnold@hunt:~/bin$ ls -l /etc/apparmor.d/abstractions/ruby
-rw-r--r-- 1 root root 906 Apr 12 2016 /etc/apparmor.d/abstractions/ruby

sarnold@hunt:~/bin$ sudo cat !$
sudo cat /tmp/apparmor-bugreport-x28ydvz6.txt
KeyError
Python 3.6.5: /usr/bin/python3
Mon Jul 16 17:45:13 2018

A problem occurred in a Python script. Here is the sequence of
function calls leading up to the error, in the order they occurred.

/usr/sbin/aa-autodep in <module>()
   27 parser = argparse.ArgumentParser(description=_('Generate a basic AppArmor profile by guessing requirements'))
   28 parser.add_argument('--force', action='store_true', default=False, help=_('overwrite existing profile'))
   29 parser.add_argument('-d', '--dir', type=str, help=_('path to profiles'))
   30 parser.add_argument('program', type=str, nargs='+', help=_('name of program'))
   31 parser.add_argument('--no-reload', dest='do_reload', action='store_false', default=True, help=_('Do not reload the profile after modifying it'))
   32 args = parser.parse_args()
   33
   34 tool = apparmor.tools.aa_tools('autodep', args)
   35
   36 tool.cmd_autodep()
tool = <apparmor.tools.aa_tools object>
tool.cmd_autodep = <bound method aa_tools.cmd_autodep of <apparmor.tools.aa_tools object>>

/usr/lib/python3/dist-packages/apparmor/tools.py in cmd_autodep(self=<apparmor.tools.aa_tools object>)
  191 apparmor.check_qualifiers(program)
  192
  193 if os.path.exists(apparmor.get_profile_filename(program)) and not self.force:
  194 aaui.UI_Info(_('Profile for %s already exists - skipping.') % program)
  195 else:
  196 apparmor.autodep(program)
  197 if self.aa_mountpoint:
  198 apparmor.reload(program)
  199
  200 def clean_profile(self, program):
global apparmor = <module 'apparmor.aa' from '/usr/lib/python3/dist-packages/apparmor/aa.py'>
apparmor.au...

I think I've recreated this bug locally:

sarnold@hunt:~/bin$ vim dnsbl
sarnold@hunt:~/bin$ chmod 755
chmod: missing operand after ‘755’
Try 'chmod --help' for more information.
sarnold@hunt:~/bin$ chmod 755 dnsbl 
sarnold@hunt:~/bin$ sudo aa-autodep dnsbl
[sudo] password for sarnold: 
Traceback (most recent call last):
  File "/usr/sbin/aa-autodep", line 36, in <module>
    tool.cmd_autodep()
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 196, in cmd_autodep
    apparmor.autodep(program)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 593, in autodep
    profile_data = create_new_profile(pname)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 444, in create_new_profile
    handle_binfmt(local_profile[localfile], interpreter_path)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 377, in handle_binfmt
    if not is_known_rule(profile, 'file', library_rule):
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 3384, in is_known_rule
    if include[incname][incname].get(rule_type, False):
KeyError: 'abstractions/ruby'

An unexpected error occoured!

sarnold@hunt:~/bin$ sudo cat !$
sudo cat /tmp/apparmor-bugreport-x28ydvz6.txt
KeyError
Python 3.6.5: /usr/bin/python3
Mon Jul 16 17:45:13 2018

A problem occurred in a Python script.  Here is the sequence of
function calls leading up to the error, in the order they occurred.

/usr/sbin/aa-autodep in <module>()
   27 parser = argparse.ArgumentParser(description=_('Generate a basic AppArmor profile by guessing requirements'))
   28 parser.add_argument('--force', action='store_true', default=False, help=_('overwrite existing profile'))
   29 parser.add_argument('-d', '--dir', type=str, help=_('path to profiles'))
   30 parser.add_argument('program', type=str, nargs='+', help=_('name of program'))
   31 parser.add_argument('--no-reload', dest='do_reload', action='store_false', default=True, help=_('Do not reload the profile after modifying it'))
   32 args = parser.parse_args()
   33 
   34 tool = apparmor.tools.aa_tools('autodep', args)
   35 
   36 tool.cmd_autodep()
tool = <apparmor.tools.aa_tools object>
tool.cmd_autodep = <bound method aa_tools.cmd_autodep of <apparmor.tools.aa_tools object>>

/usr/lib/python3/dist-packages/apparmor/tools.py in cmd_autodep(self=<apparmor.tools.aa_tools object>)
  191             apparmor.check_qualifiers(program)
  192 
  193             if os.path.exists(apparmor.get_profile_filename(program)) and not self.force:
  194                 aaui.UI_Info(_('Profile for %s already exists - skipping.') % program)
  195             else:
  196                 apparmor.autodep(program)
  197                 if self.aa_mountpoint:
  198                     apparmor.reload(program)
  199 
  200     def clean_profile(self, program):
global apparmor = <module 'apparmor.aa' from '/usr/lib/python3/dist-packages/apparmor/aa.py'>
apparmor.autodep = <function autodep>
program = '/home/sarnold/bin/dnsbl'

/usr/lib/python3/dist-packages/apparmor/aa.py in autodep(bin_name='/home/sarnold/bin/dnsbl', pname='/home/sarnold/bin/dnsbl')
  588     pname = bin_full
  589     read_inactive_profiles()
  590     profile_data = get_profile(pname)
  591     # Create a new profile if no existing profile
  592     if not profile_data:
  593         profile_data = create_new_profile(pname)
  594     file = get_profile_filename(pname)
  595     profile_data[pname][pname]['filename'] = None  # will be stored in /etc/apparmor.d when saving, so it shouldn't carry the extra_profile_dir filename
  596     attach_profile_data(aa, profile_data)
  597     attach_profile_data(original_aa, profile_data)
profile_data = None
global create_new_profile = <function create_new_profile>
pname = '/home/sarnold/bin/dnsbl'

/usr/lib/python3/dist-packages/apparmor/aa.py in create_new_profile(localfile='/home/sarnold/bin/dnsbl', is_stub=False)
  439             local_profile[localfile]['file'].add(FileRule(interpreter_path, None, 'ix', FileRule.ALL, owner=False))
  440 
  441             if abstraction:
  442                 local_profile[localfile]['include'][abstraction] = True
  443 
  444             handle_binfmt(local_profile[localfile], interpreter_path)
  445         else:
  446             local_profile[localfile]['file'].add(FileRule(localfile,        'mr', None, FileRule.ALL, owner=False))
  447 
  448             handle_binfmt(local_profile[localfile], localfile)
global handle_binfmt = <function handle_binfmt>
local_profile = defaultdict(<function hasher at 0x7f485b25ac80>,...torage.ProfileStorage object at 0x7f485d8f8b38>})
localfile = '/home/sarnold/bin/dnsbl'
interpreter_path = '/usr/bin/ruby2.5'

/usr/lib/python3/dist-packages/apparmor/aa.py in handle_binfmt(profile=<apparmor.profile_storage.ProfileStorage object>, path='/usr/bin/ruby2.5')
  372                 reqs += get_reqs(library)
  373             reqs_processed[library] = True
  374 
  375         library_rule = FileRule(library, 'mr', None, FileRule.ALL, owner=False, log_event=True)
  376 
  377         if not is_known_rule(profile, 'file', library_rule):
  378             globbed_library = glob_common(library)
  379             if globbed_library:
  380                 # glob_common returns a list, just use the first element (typically '/lib/libfoo.so.*')
  381                 library_rule = FileRule(globbed_library[0], 'mr', None, FileRule.ALL, owner=False)
global is_known_rule = <function is_known_rule>
profile = <apparmor.profile_storage.ProfileStorage object>
library_rule = <FileRule> /lib/x86_64-linux-gnu/ld-2.27.so mr,

/usr/lib/python3/dist-packages/apparmor/aa.py in is_known_rule(profile=<apparmor.profile_storage.ProfileStorage object>, rule_type='file', rule_obj=<FileRule> /lib/x86_64-linux-gnu/ld-2.27.so mr,)
 3379         checked.append(incname)
 3380 
 3381         if os.path.isdir(get_include_path(incname)):
 3382             includelist += include_dir_filelist(profile_dir, incname)
 3383         else:
 3384             if include[incname][incname].get(rule_type, False):
 3385                 if include[incname][incname][rule_type].is_covered(rule_obj, False):
 3386                     return True
 3387 
 3388             for childinc in include[incname][incname]['include'].keys():
global include = {'abstractions/X': defaultdict(<function hasher at 0x7f485b25ac80>,...torage.ProfileStorage object at 0x7f4859b09e48>}), 'abstractions/audio': defaultdict(<function hasher at 0x7f485b25ac80>,...torage.ProfileStorage object at 0x7f4859b70160>}), 'abstractions/authentication': defaultdict(<function hasher at 0x7f485b25ac80>,...torage.ProfileStorage object at 0x7f48598248d0>}), 'abstractions/base': defaultdict(<function hasher at 0x7f485b25ac80>,...torage.ProfileStorage object at 0x7f4859bafe80>}), 'abstractions/bash': defaultdict(<function hasher at 0x7f485b25ac80>,...torage.ProfileStorage object at 0x7f4859ba94e0>}), 'abstractions/consoles': defaultdict(<function hasher at 0x7f485b25ac80>,...torage.ProfileStorage object at 0x7f4859a0b828>}), 'abstractions/cups-client': defaultdict(<function hasher at 0x7f485b25ac80>,...torage.ProfileStorage object at 0x7f4859b63fd0>}), 'abstractions/dbus': defaultdict(<function hasher at 0x7f485b25ac80>,...torage.ProfileStorage object at 0x7f4859ba9128>}), 'abstractions/dbus-accessibility': defaultdict(<function hasher at 0x7f485b25ac80>,...torage.ProfileStorage object at 0x7f4859b75518>}), 'abstractions/dbus-accessibility-strict': defaultdict(<function hasher at 0x7f485b25ac80>,...torage.ProfileStorage object at 0x7f4859b75748>}), ...}
incname = 'abstractions/ruby'
].get undefined
rule_type = 'file'
KeyError: 'abstractions/ruby'
    __cause__ = None
    __class__ = <class 'KeyError'>
    __context__ = None
    __delattr__ = <method-wrapper '__delattr__' of KeyError object>
    __dict__ = {}
    __dir__ = <built-in method __dir__ of KeyError object>
    __doc__ = 'Mapping key not found.'
    __eq__ = <method-wrapper '__eq__' of KeyError object>
    __format__ = <built-in method __format__ of KeyError object>
    __ge__ = <method-wrapper '__ge__' of KeyError object>
    __getattribute__ = <method-wrapper '__getattribute__' of KeyError object>
    __gt__ = <method-wrapper '__gt__' of KeyError object>
    __hash__ = <method-wrapper '__hash__' of KeyError object>
    __init__ = <method-wrapper '__init__' of KeyError object>
    __init_subclass__ = <built-in method __init_subclass__ of type object>
    __le__ = <method-wrapper '__le__' of KeyError object>
    __lt__ = <method-wrapper '__lt__' of KeyError object>
    __ne__ = <method-wrapper '__ne__' of KeyError object>
    __new__ = <built-in method __new__ of type object>
    __reduce__ = <built-in method __reduce__ of KeyError object>
    __reduce_ex__ = <built-in method __reduce_ex__ of KeyError object>
    __repr__ = <method-wrapper '__repr__' of KeyError object>
    __setattr__ = <method-wrapper '__setattr__' of KeyError object>
    __setstate__ = <built-in method __setstate__ of KeyError object>
    __sizeof__ = <built-in method __sizeof__ of KeyError object>
    __str__ = <method-wrapper '__str__' of KeyError object>
    __subclasshook__ = <built-in method __subclasshook__ of type object>
    __suppress_context__ = False
    __traceback__ = <traceback object>
    args = ('abstractions/ruby',)
    with_traceback = <built-in method with_traceback of KeyError object>

The above is a description of an error in a Python program.  Here is
the original traceback:

Traceback (most recent call last):
  File "/usr/sbin/aa-autodep", line 36, in <module>
    tool.cmd_autodep()
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 196, in cmd_autodep
    apparmor.autodep(program)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 593, in autodep
    profile_data = create_new_profile(pname)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 444, in create_new_profile
    handle_binfmt(local_profile[localfile], interpreter_path)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 377, in handle_binfmt
    if not is_known_rule(profile, 'file', library_rule):
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 3384, in is_known_rule
    if include[incname][incname].get(rule_type, False):
KeyError: 'abstractions/ruby'

Please consider reporting a bug at https://bugs.launchpad.net/apparmor/
and attach this file.

Thanks

Revision history for this message

Christian Boltz (cboltz) wrote on 2018-07-17:

Unfortunately I can't reproduce this bug (tested with latest git), at least with the simple test script (just a #!/usr/bin/ruby header) I used.

@Yves and Seth: Which version of the AppArmor utils version do you use? Is there a special trick to reproduce the error?

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2018-07-17: Re: [Bug 1781660] Re: aa-autodep crashes with KeyError: 'abstractions/bash'

On Tue, Jul 17, 2018 at 11:30:55AM -0000, Christian Boltz wrote:
> @Yves and Seth: Which version of the AppArmor utils version do you use?
> Is there a special trick to reproduce the error?

2.12-4ubuntu5 here; no trick to reproducing, it was rather unexpected. :)

Thanks

Revision history for this message

Yves Trudeau (y-trudeau) wrote on 2018-07-18:

Le Fri, 13 Jul 2018 23:01:50 +0000,
Seth Arnold <email address hidden> a écrit :

> Hello Yves, does the bash abstraction exist on your system?
>
> ls -l /etc/apparmor.d/abstractions/bash
>
> Thanks
>

Hi Seth,

Apparently:

root@BlogApparmor1:~# ls -l /etc/apparmor.d/abstractions/bash
-rw-r--r-- 1 root root 1512 Apr 17
20:15 /etc/apparmor.d/abstractions/bash

--Yves

Revision history for this message

Yves Trudeau (y-trudeau) wrote on 2018-07-24:

Apparently, the aa.py script is not loading all the profiles in /etc/apparmor.d. I added this file and the script now works:

root@BlogApparmor1:/etc/apparmor.d# cat scripts

#include <abstractions>
root@BlogApparmor1:/etc/apparmor.d#
root@BlogApparmor1:/etc/apparmor.d# aa-autodep /usr/bin/mysqld_safe
Writing updated profile for /usr/bin/mysqld_safe.
root@BlogApparmor1:/etc/apparmor.d#

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

apparmor-bugreport-6a0z5vpw.txt Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.