AppArmor

aa-genprof fails to create profile for shell script with encrypted home directory - overlong path causes cut-off log line

Bug #1982689 reported by Conrad Röber
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
New
Undecided
Unassigned

Bug Description

To reproduce:

Start aa-genprof in a terminal window and wait for prompt

Start shell script in another window. When finished:

Enter 's' in aa-genprof terminal window

Result:

Fehler beim Erzeugen eine Profils für rsbackup:

Protokolleinträge von /var/log/syslog werden gelesen.
AppArmor-Profile in /etc/apparmor.d werden aktualisiert.
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 383, in read_log
    self.add_event_to_tree(event)
  File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 197, in add_event_to_tree
    e = self.parse_event_for_tree(e)
  File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 261, in parse_event_for_tree
    elif self.op_type(e) == 'file':
  File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 441, in op_type
    raise AppArmorException('unknown file or network event type')
apparmor.common.AppArmorException: 'unknown file or network event type'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/sbin/aa-genprof", line 163, in <module>
    lp_ret = apparmor.do_logprof_pass(logmark, passno)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1820, in do_logprof_pass
    log = log_reader.read_log(logmark)
  File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 388, in read_log
    raise AppArmorBug(ex_msg) # py3-only: from None
apparmor.common.AppArmorBug: unknown file or network event type

This error was caused by the log line:
Jul 24 11:50:07 klapp kernel: [153217.735729] audit: type=1400 audit(1658656207.371:557888): apparmor="ALLOWED" operation="open" profile="/home/cro/bin/rsbackup.sh//null-/usr/bin/rsync" name="/home/.ecryptfs/cro/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZKI-ZqPvordUQaXNv30QLuAIJ1w0U3lKQhpvrpUrDrT4NqtM23hbJiFk--/ECRYPTFS_FNEK_ENCRYPTED.FZZKI-ZqPvordUQaXNv30QLuAIJ1w0U3lKQhfGNwIA0v31JetW4PXJce5-mLjmeuGRIJwEuiqngbMfxjApXibSKpyGgG0BXyFsyhmZ9WhqZyi9YkfHQshF7IgE--/ECRYPTFS_FNEK_ENCRYPTED.FWZKI-ZqPvordUQaXNv30QLuAIJ1w0U3lKQhwrR-8AcC3o6-e..5-3wa5E--/ECRYPTFS_FNEK_ENCRYPTED.FYZKI-ZqPvordUQaXNv30QLuAIJ1w0U3lKQhbLUw31OijCKi3Ng0MOSVjB0yNc25QGHiCwGYziUnonxcPOnuMkRQtSkLWqWfM-Et/ECRYPTFS_FNEK_ENCRYPTED.FWZKI-ZqPvordUQaXNv30QLuAIJ1w0U3lKQh0NF6n32wEObbEawvNjFjdk--/ECRYPTFS_FNEK_ENCRYPTED.FWZKI-ZqPvordUQaXNv30QLuAIJ1w0U3lKQhYtVBzBMKbzs2t8bMaUvUjE--/ECRYPTFS_FNEK_ENCRYPTED.FWZKI-ZqPvordUQaXNv30QLuAIJ1w0U3lKQhFiEWQUe8b7sXpFQCp0ZnN---/ECRYPTFS_FNEK_ENCRYPTED.FXZKI-ZqPvordUQaXNv30QLuAIJ1w0U3lKQhw2zRxEDIgCqzb2TCLNpPC-.b4RZS-5CW-G1Ot9rY.gM-" pid=21062

An unexpected error occoured!

For details, see /tmp/user/0/apparmor-bugreport-1y1aj8xr.txt
Please consider reporting a bug at https://bugs.launchpad.net/apparmor/
and attach this file.

Revision history for this message
Conrad Röber (croeber) wrote :
Revision history for this message
Christian Boltz (cboltz) wrote :

op_type() checks if a log event has the attributes family, protocol and sock_type (which makes it a network event) or denied_mask (which makes it a file event).

However, your log line doesn't have any of that (since it's obviously a file event, I'd expect a "denied_mask"), therefore none of these conditions match - and the code errors out.

It looks like your syslog daemon did cut off the log line at about 1000 chars, and the path is too long and causes things like denied_mask to be cut off.

As a workaround, I'd recommend to install and use auditd - AFAIK it doesn't cut off the log lines.

Or edit /usr/...../apparmor/logparser.py and, in the op_type() function, change raising the exception to "return 'unknown'" (like it does for operation keywords not handled in this function).

summary: aa-genprof fails to create profile for shell script with encrypted home
- directory
+ directory - overlong path causes cut-off log line
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.