AppArmor

Python utils lack support for path rules using the file keyword

Bug #1295346 reported by Tyler Hicks
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Medium
Tyler Hicks
AppArmor 2.9.0
apparmor (Ubuntu)
Fix Released
Medium
Tyler Hicks
Trusty
Fix Released
Undecided
Unassigned
Utopic
Fix Released
Medium
Tyler Hicks

Bug Description

aa.py doesn't support "file," rules and emits a traceback when encountering them:

$ mkdir /tmp/profs
$ printf "profile file {\n file,\n}" > /tmp/profs/file
$ sudo aa-enforce -d /tmp/profs /tmp/profs/file
Traceback (most recent call last):
  File "./aa-enforce", line 30, in <module>
    tool.cmd_enforce()
  File "/var/scm/apparmor/utils/apparmor/tools.py", line 153, in cmd_enforce
    apparmor.read_profiles()
  File "/var/scm/apparmor/utils/apparmor/aa.py", line 2564, in read_profiles
    read_profile(profile_dir + '/' + file, True)
  File "/var/scm/apparmor/utils/apparmor/aa.py", line 2590, in read_profile
    profile_data = parse_profile_data(data, file, 0)
  File "/var/scm/apparmor/utils/apparmor/aa.py", line 3063, in parse_profile_data
    raise AppArmorException(_('Syntax Error: Unknown line found in file: %s line: %s') % (file, lineno + 1))
apparmor.common.AppArmorException: 'Syntax Error: Unknown line found in file: /tmp/profs/file line: 2'

Related branches

lp:apparmor/2.12
Tyler Hicks (tyhicks)
Changed in apparmor (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
MattJ (mwild1) wrote :

This is affecting me, as aa-enable keeps bailing out on abstractions installed by the lxc package:

$ sudo aa-enforce /usr/lib/chromium-browser/chromium-browser
Traceback (most recent call last):
  File "/usr/sbin/aa-enforce", line 30, in <module>
    tool.cmd_enforce()
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 153, in cmd_enforce
    apparmor.read_profiles()
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2558, in read_profiles
    read_profile(profile_dir + '/' + file, True)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2584, in read_profile
    profile_data = parse_profile_data(data, file, 0)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2914, in parse_profile_data
    load_include(include_name)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 4170, in load_include
    incdata = parse_profile_data(data, incfile, True)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 3031, in parse_profile_data
    raise AppArmorException(_('Syntax Error: Unknown line found in file: %s line: %s') % (file, lineno + 1))
apparmor.common.AppArmorException: 'Syntax Error: Unknown line found in file: abstractions/lxc/start-container line: 2'

Tyler Hicks (tyhicks)
Changed in apparmor:
status: Triaged → In Progress
assignee: nobody → Tyler Hicks (tyhicks)
Tyler Hicks (tyhicks)
summary: - Python utils lack support for bare file rules
+ Python utils lack support for path rules using the file keyword
Tyler Hicks (tyhicks)
Changed in apparmor (Ubuntu):
assignee: nobody → Tyler Hicks (tyhicks)
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.3 KiB)

This bug was fixed in the package apparmor - 2.8.95~2430-0ubuntu5

---------------
apparmor (2.8.95~2430-0ubuntu5) trusty; urgency=medium

  * debian/control: add versioned Breaks to apparmor for lxc, libvirt-bin,
    lightdm and apparmor-easyprof-ubuntu

apparmor (2.8.95~2430-0ubuntu4) trusty; urgency=medium

  [ John Johansen, Steve Beattie ]
  * Add userspace support for AppArmor signals and ptrace mediation
    (LP: #1298611)
    + debian/patches/mediate-signals.patch,
      debian/patches/change-signal-syntax.patch: Parse signal rules with
      apparmor_parser. See the apparmor.d(5) man page for syntax details.
    + debian/patches/change-ptrace-syntax.patch,
      debian/patches/mediate-ptrace.patch: Parse ptrace rules with
      apparmor_parser. See the apparmor.d(5) man page for syntax details.
    + debian/patches/test-signal-rules.patch,
      debian/patches/test-ptrace-rules.patch,
      debian/patches/update-tests-for-new-semantics.patch: Update existing
      tests and add new tests for signal and ptrace mediation
    + debian/patches/fix-garbage-in-preprocessor-output.patch: Fix bug causing
      apparmor_parser preprocessor output to contain garbage after include
      statements
    + debian/patches/fix-double-comma-in-preprocessor-output.patch: Fix bug
      causing apparmor_parser preprocessor output to contain double commas
      after some rules
    + debian/patches/symtab-tests-and-seenlist-bug.patch,
      debian/patches/add-profile-name-variable.patch: Add ${profile_name}
      variable for use in profiles when rules need to specify the current
      profile's name. This is useful for signal and ptrace rules that specify
    + debian/patches/fix-names-treated-as-condlistid.patch: Fix
      apparmor_parser bug that caused mount and dbus rules to fail for sets of
      values

  [ Jamie Strandboge ]
  * debian/patches/update-base-abstraction-for-signals-and-ptrace.patch:
    Adjust the base abstraction for signals and ptrace mediation. Profiles
    that use the base abstraction can deny any of the granted permissions to
    achieve tighter confinement.
  * debian/patches/manpage-signal-ptrace.patch: Update the apparmor.d man
    page to document signal rules, ptrace rules, and variables for use in
    AppArmor profiles
  * debian/patches/dnsmasq-libvirtd-signal-ptrace.patch: Update the dnsmasq
    profile to allow libvirtd to send signals to and ptrace read the dnsmasq
    process
  * debian/patches/update-chromium-browser.patch: Adjust the chromium-browser
    profile for permissions needed in newer chromium-browser versions and add
    the rules needed for AppArmor ptrace mediation

  [ Tyler Hicks ]
  * Add new rule type support to aa.py to fix tracebacks when using the Python
    utilities in apparmor-utils on systems with AppArmor profiles containing
    previously unsupported rule types
    - debian/patches/python-utils-file-support.patch: Support path rules
      containing the "file" prefix (LP: #1295346)
    - debian/patches/python-utils-signal-support.patch: Parse and write signal
      rules (LP: #1300316)
    - debian/patches/python-utils-ptrace-support.patch: Parse and write ptrace
      rules (LP: #1300317)...

Read more...

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Christian Boltz (cboltz) wrote :

This fix was also commited to bzr r2448 / r2492.

Changed in apparmor:
status: In Progress → Fix Committed
Marc Deslauriers (mdeslaur)
Changed in apparmor (Ubuntu Trusty):
status: New → Fix Released
Steve Beattie (sbeattie)
Changed in apparmor:
milestone: none → 2.9.0
Revision history for this message
Steve Beattie (sbeattie) wrote :

Apparmor 2.9.0 has been released; closing.

Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.