aa-logprof error after starting

Bug #1850013 reported by Rajinder Yadav on 2019-10-27
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Undecided
Unassigned

Bug Description

This is failing:

$ sudo aa-logprof

Also now I keep getting error message popping (alerts) up and they won't stop?

Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Traceback (most recent call last):
  File "/usr/sbin/aa-logprof", line 56, in <module>
    apparmor.do_logprof_pass(logmark)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1819, in do_logprof_pass
    log_dict = collapse_log()
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2011, in collapse_log
    if not is_known_rule(aa[profile][hat], 'ptrace', ptrace_event):
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 3371, in is_known_rule
    if profile[rule_type].is_covered(rule_obj, False):
  File "/usr/lib/python3/dist-packages/apparmor/rule/__init__.py", line 418, in is_covered
    if r.is_covered(rule, check_allow_deny, check_audit):
  File "/usr/lib/python3/dist-packages/apparmor/rule/__init__.py", line 158, in is_covered
    return self.is_covered_localvars(other_rule)
  File "/usr/lib/python3/dist-packages/apparmor/rule/ptrace.py", line 141, in is_covered_localvars
    if not self._is_covered_aare_compat(self.peer, self.all_peers, other_rule.peer, other_rule.all_peers, 'peer'):
  File "/usr/lib/python3/dist-packages/apparmor/rule/__init__.py", line 202, in _is_covered_aare_compat
    return self._is_covered_aare(self_value, self_all, other_value, other_all, cond_name)
  File "/usr/lib/python3/dist-packages/apparmor/rule/__init__.py", line 213, in _is_covered_aare
    if not self_value.match(other_value):
  File "/usr/lib/python3/dist-packages/apparmor/aare.py", line 75, in match
    self._regex_compiled = re.compile(convert_regexp(self.regex))
  File "/usr/lib/python3.6/re.py", line 233, in compile
    return _compile(pattern, flags)
  File "/usr/lib/python3.6/re.py", line 301, in _compile
    p = sre_compile.compile(pattern, flags)
  File "/usr/lib/python3.6/sre_compile.py", line 562, in compile
    p = sre_parse.parse(p, flags)
  File "/usr/lib/python3.6/sre_parse.py", line 869, in parse
    raise source.error("unbalanced parenthesis")
sre_constants.error: unbalanced parenthesis at position 59

An unexpected error occoured!

Rajinder Yadav (rajinder-yadav) wrote :

I followed the steps here, they worked initially but when I ran the command above I got those error.

https://tutorials.ubuntu.com/tutorial/beginning-apparmor-profile-development#0

I am using Ubuntu 18.04

Christian Boltz (cboltz) wrote :

Which AppArmor version do you use?

The error message should have included a hint about a /tmp/apparmor-bugreport-<random>.txt file - can you attach this file, please?

tags: added: aa-tools
Rajinder Yadav (rajinder-yadav) wrote :

I just look through those files they are all empty.

I disabled that apparmor profile, like this

sudo ln -s /etc/apparmor.d/usr.bin.certspotter /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.certspotter

If you can tell me how to re-enable this profile correctly, I try to see if the error still exists? and get you those log file hopefully with something inside.

Rajinder Yadav (rajinder-yadav) wrote :
Download full text (28.8 KiB)

I just notice those files were saved as root:

error
Python 3.6.8: /usr/bin/python3
Sat Oct 26 23:08:04 2019

A problem occurred in a Python script. Here is the sequence of
function calls leading up to the error, in the order they occurred.

 /usr/sbin/aa-logprof in <module>()
   48
   49 if profiledir:
   50 apparmor.profile_dir = apparmor.get_full_path(profiledir)
   51 if not os.path.isdir(apparmor.profile_dir):
   52 raise apparmor.AppArmorException("%s is not a directory."%profiledir)
   53
   54 apparmor.loadincludes()
   55
   56 apparmor.do_logprof_pass(logmark)
   57
apparmor = <module 'apparmor.aa' from '/usr/lib/python3/dist-packages/apparmor/aa.py'>
apparmor.do_logprof_pass = <function do_logprof_pass>
logmark = ''

 /usr/lib/python3/dist-packages/apparmor/aa.py in do_logprof_pass(logmark='', passno=0, log_pid={2701: [[2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::m', 'm'}, '/opt/local/lib/libgcrypt.so.20.2.4', ''], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::m', 'm'}, '/opt/local/lib/libgpg-error.so.0.24.3', ''], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::r', 'r'}, '/var/lib/flatpak/app/org.gimp.GIMP/x86_64/stable...f/export/share/applications/org.gimp.GIMP.desktop', ''], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::r', 'r'}, '/var/lib/flatpak/app/org.gimp.GIMP/x86_64/stable...f/export/share/applications/org.gimp.GIMP.desktop', ''], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING'...

Rajinder Yadav (rajinder-yadav) wrote :

Trying to attached again!

Rajinder Yadav (rajinder-yadav) wrote :

2nd attachment

Rajinder Yadav (rajinder-yadav) wrote :

3rd attachment

Rajinder Yadav (rajinder-yadav) wrote :

final attachment

Christian Boltz (cboltz) wrote :

Thanks, the logs are helpful :-)

The problem is probably best described with this line from the log:

ptrace_event = <PtraceRule> ptrace trace peer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},

which means something tries to trace firefox, and the firefox profile name explodes when trying to convert it to a regex (needed to check if an additional rule is necessary or if it's already covered by the existing rules).

I have a feeling (confirmed by a quick test with a made-up log line) that this is already fixed in the latest upstream code, but to be really sure, I'll need the original log line.

Can you please run the following and attach the result?

    grep firefox /var/log/syslog | grep trace

(I hope I got the logfile name right because I use openSUSE, not Ubuntu ;-) If you have auditd running, please also check /var/log/audit/audit.log. Also, aa-logprof will display the used logfile on startup.)

You should see something like

type=AVC msg=audit(1409700683.304:547661): apparmor="DENIED" operation="ptrace" profile="/what/ever" pid=22465 comm="ptrace" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"

To answer your question from comment #3:
> I disabled that apparmor profile, like this
>
> sudo ln -s /etc/apparmor.d/usr.bin.certspotter /etc/apparmor.d/disable/
> sudo apparmor_parser -R /etc/apparmor.d/usr.bin.certspotter

That was mostly correct, except that you should run apparmor_parser -R first (when the disable symlink exists, apparmor_parser might skip unloading the profile).

You could also simply use aa-disable /etc/apparmor.d/usr.bin.certspotter
which unloads the profile and creates the disable symlink.

> If you can tell me how to re-enable this profile correctly, I try to see if the error
> still exists? and get you those log file hopefully with something inside.

Use one of these:

aa-enforce /etc/apparmor.d/usr.bin.certspotter # enable profile in enforce mode

aa-complain /etc/apparmor.d/usr.bin.certspotter # enable profile in complain mode

Both will delete the disable symlink and load the profile into the kernel.

Glad the logs were helpful!

The log path you gave me is correct but no ptrace message there. However when those popup alerts were going off, I notice AppArmor was preventing firefox from writing to the log file.

There is no auditd log so I don't think I have it running.

Thanks for those helpful tips on using aa :-D, I will wait for the updates. I believe I just needed an aa profile so I could install and use KVM.

Christian Boltz (cboltz) wrote :

If you don't have an audit.log, check your normal syslog - AFAIK you'll find it as /var/log/syslog
Seeing the log messages would be helpful to confirm that this bug is really fixed in the latest upstream code, and might also help to convince the Ubuntu maintainers to release an update (these updates are not my job, therefore no promises on this ;-)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers