apparmor.common.AppArmorBug: exec permissions requested for foobar, but mode is {'x'} instead of exec. This should not happen - please open a bugreport!

Do you still have the audit.log that triggers this? If yes, can you please attach it? (If you don't want to attach the full log, the relevant lines for "...//proc-macro2-0d62d90a89317e13/build-script-build" might be enough, but in this case please test if they are enough to reproduce this bug using "aa-logprof -f the_shortened_audit.log")

Looking at the code, I'm quite sure that typ == 'path' because that's the only way how you could reach this code section, but I'm surprised that you get an exec event for 'path'.

As a sidenote: This part of the code was completely rewritten in latest master, so this bug likely "only" affects the 2.11, 2.12 and 2.13 branches - or at least affects master in a different way ;-)

Can you please also include your kernel version (uname -a), distro release/version and apparmor version (apparmor_parser -V)

Linux l29ah-x201 5.1.18+ #126 SMP PREEMPT Tue Jul 30 05:42:38 MSK 2019 x86_64 Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz GenuineIntel GNU/Linux
Gentoo
AppArmor parser version 2.13.3

operation="link" [...] requested_mask="x" denied_mask="x" [...] is indeed unexpected - I've never seen an exec event for "link" before.

For the records: this also causes an exception in master, but with a slightly more useful error message (including the log line that causes the exception).

John, does this qualify as a kernel bug, or should I adjust the tools to accept this as a valid exec event?

aa-logprof moves "link …" rules up and apparmor is unhappy with them occuring before the execute rules so i can't even continue using aa-logprof after adjusting the profile manually.