aa-logprof: Log contains unknown mode senw

Bug #1243932 reported by Julian Taylor on 2013-10-23
60
This bug affects 13 people
Affects Status Importance Assigned to Milestone
AppArmor
Medium
Tyler Hicks
apparmor (Ubuntu)
Medium
Tyler Hicks

Bug Description

[Impact]

* aa-logprof does not work when dbus rule denials are present in the logs

[Automated Test Case]

* test_lp1243932_send, test_lp1243932_receive, and test_lp1243932_bind have been added to QRT's test-apparmor.py test script

[Manual Test Case]

* Load a profile that does not grant D-Bus access and create a D-Bus denial. Then,
  test aa-logprof.

  $ echo "profile lp1243932 { file, }" | sudo apparmor_parser -rq
  $ aa-exec -p lp1243932 -- dbus-send --print-reply --system \
  --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames
  Failed to open connection to "system" message bus: An AppArmor policy prevents this
  sender from sending this message to this recipient, 0 matched rules;
  type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus"
  member="Hello" error name="(unset)" requested_reply="0"
  destination="org.freedesktop.DBus" (bus)
  $ aa-logprof -f /dev/null
  Reading log entries from /dev/null.
  Updating AppArmor profiles in /etc/apparmor.d.

An unpatched aa-logprof will print similar output followed by:

  Log contains unknown mode senw.

[Regression Potential]

* The regression potential is low since aa-logprof currently refuses to work when D-Bus
  denials are present. The fix is minimal and has been reviewed by upstream.

[Original Bug Report]

since saucy aa-logprof does not work anymore:

$ aa-logprof
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.

Log contains unknown mode senw.

the issues seem to be caused by dbus send denies:

Oct 23 19:52:56 ubuntu dbus[2594]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=3552 profile="/usr/bin/smuxi-frontend-gnome" peer_profile="unconfined"

23:16 <tyhicks> my guess is the denial of a dbus send
23:16 <tyhicks> senw is awful close to send
23:17 <tyhicks> parse_event() in AppArmor.pm does this:
23:18 <tyhicks> $rmask =~ s/d/w/g;
23:18 <tyhicks> followed by:
23:18 <tyhicks> fatal_error(sprintf(gettext('Log contains unknown mode %s.'), $rmask));

ubuntu 13.10 amd64.

apparmor-utils:
  Installed: 2.8.0-0ubuntu31
  Candidate: 2.8.0-0ubuntu31
  Version table:
 *** 2.8.0-0ubuntu31 0
        500 http://de.archive.ubuntu.com/ubuntu/ saucy/main amd64 Packages

Tyler Hicks (tyhicks) on 2013-10-23
Changed in apparmor (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Tyler Hicks (tyhicks) wrote :

Saucy patch 0063-utils-ignore-unsupported-rules.patch was written to ignore policy rules unknown to AppArmor.pm. What's missing is the corresponding patch to ignore unknown denials.

This isn't specific to dbus rules. See the patch mentioned above for the policy rule types that are unsupported by AppArmor.pm.

mist (danielmahaffy) wrote :

After using sed to remove all lines containing "send" from /var/log/syslog, the error changed to "Log contains unknown mode reweive."

mist (danielmahaffy) wrote :

Additionally, after removing all lines containing "recieve" from /var/log/syslog, the command ran without printing errors.

Tyler Hicks (tyhicks) on 2013-10-24
Changed in apparmor (Ubuntu):
assignee: nobody → Tyler Hicks (tyhicks)
Tyler Hicks (tyhicks) on 2013-10-26
Changed in apparmor:
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Tyler Hicks (tyhicks)
Tyler Hicks (tyhicks) on 2013-10-30
description: updated
Tyler Hicks (tyhicks) on 2013-11-05
description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.0-0ubuntu34

---------------
apparmor (2.8.0-0ubuntu34) trusty; urgency=low

  [ Tyler Hicks ]
  * 0078-parser-check-for-dbus-kernel-support.patch: The parser should not
    include D-Bus rules in the binary policy that it loads into the kernel if
    the kernel does not support D-Bus rules (LP: #1231778)
  * 0079-utils-ignore-unsupported-log-events.patch: aa-logprof should ignore
    audit events that it does not yet support instead of treating them as
    errors (LP: #1243932)
  * 0080-tests-use-ldconfig-for-library-detection.patch: Fix libapparmor
    detection in regression tests after the multiarch changes

  [ Jamie Strandboge ]
  * 0081-python-abstraction-updates.patch: Add rules in support of Python 3.3

  [ Chad Miller ]
  * debian/patches/0001-add-chromium-browser.patch: Follow new chromium-browser
    sandbox name. Keep old name for now to allow transition. LP: #1247269
 -- Tyler Hicks <email address hidden> Mon, 04 Nov 2013 15:57:30 -0800

Changed in apparmor (Ubuntu):
status: Triaged → Fix Released

Hello Julian, or anyone else affected,

Accepted apparmor into saucy-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/apparmor/2.8.0-0ubuntu31.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed
Tyler Hicks (tyhicks) wrote :

I've verified that the 3 tests added to QRT's test-apparmor.py succeed using the 2.8.0-0ubuntu31.1 package from -proposed.

tags: added: verification-done
removed: verification-needed

The verification of the Stable Release Update for apparmor has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Christian Boltz (cboltz) wrote :

Two questions:
- was the fix commited to the 2.8 branch?
- does this bug also exist in the python utils?

Changed in apparmor:
status: In Progress → Fix Committed
milestone: none → 2.9.0
Steve Beattie (sbeattie) wrote :

Apparmor 2.9.0 has been released; closing.

Changed in apparmor:
status: Fix Committed → Fix Released

I have the 2.9 package but this bug still seems to affect me:

ii apparmor-utils 2.9.2~2880-0ubun amd64 Utilities for controlling AppArmor

# aa-logprof
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Traceback (most recent call last):
  File "/usr/sbin/aa-logprof", line 54, in <module>
    apparmor.do_logprof_pass(logmark)
  File "/usr/lib/python2.7/dist-packages/apparmor/aa.py", line 2279, in do_logprof_pass
    log = log_reader.read_log(logmark)
  File "/usr/lib/python2.7/dist-packages/apparmor/logparser.py", line 349, in read_log
    event = self.parse_log_record(line)
  File "/usr/lib/python2.7/dist-packages/apparmor/logparser.py", line 88, in parse_log_record
    record_event = self.parse_event(record)
  File "/usr/lib/python2.7/dist-packages/apparmor/logparser.py", line 128, in parse_event
    raise AppArmorException(_('Log contains unknown mode %s') % rmask)
apparmor.common.AppArmorException: 'Log contains unknown mode senw'

Christian Boltz (cboltz) wrote :

See also bug 1426651 (for 'trace', but the fix will cover both)

Changed in apparmor:
status: Fix Released → Confirmed
Christian Boltz (cboltz) wrote :

BTW: After checking the bzr log, I'm slightly surprised why this bug was closed as fixed - there's no commit (in trunk or 2.9) logparser.py that relates to this bug :-/

Christian Boltz (cboltz) wrote :

Patch sent to the mailinglist for review. However, I'm afraid you can't "just apply it" for testing because it is based on a whole patch series that is not in bzr yet.

Steve Beattie (sbeattie) on 2015-04-06
Changed in apparmor:
milestone: 2.9.0 → 2.9.2

The fix I implemented in my system was to add the following check to /usr/lib/python2.7/dist-packages/apparmor/logparser.py, in lines 124:

if rmask and rmask not in [ 'send', 'receive', 'send receive' ]:

Originally it was:

if rmask:

The same in line 130 for dmask. This file comes from python-apparmor package 2.9.2~2886-0ubuntu0.14.04.41 installed from the PPA.

Christian Boltz (cboltz) wrote :

Fix commited to bzr trunk and 2.9 branch.

Changed in apparmor:
status: Confirmed → Fix Committed
Steve Beattie (sbeattie) on 2015-04-24
Changed in apparmor:
status: Fix Committed → Fix Released
agent 8131 (agent-8131) wrote :

I hit this bug after installing auditd to work around bug Bug #1399027. Only in addition to the changes above I had to use:

line 123:
if rmask and rmask not in [ 'send', 'receive', 'send receive', 'send receive connect','create' ]:

line 129:
if dmask and dmask not in [ 'send connect', ]:

Hopefully a better fix is in the newer branch and will be released to Ubuntu 15.04 in a timely manner.

Steve Beattie (sbeattie) wrote :

agent 8131, apparmor 2.9.2-0ubuntu1 just landed in wily and contains a fix for this that attempts to only apply the transformation for file based events, specifically in http://bazaar.launchpad.net/~apparmor-dev/apparmor/2.9/revision/2905 , so you should no longer see this in wily.

Also, this version (2.9.2) of the python tools has been backported to trusty for an SRU. Please leave feedback on bug 1449769 if you are using trusty as to whether the proposed packages improves the usability of the tools in that release and if you discover significant regressions from it.

Both 2.9.2 and the trusty SRU should also address the issue in Bug #1399027. Again, feedback in that bug on the trusty SRU would be greatly appreciated.

Thanks for your patience!

Rune Philosof (olberd) wrote :

It would be nice if patches that are backported to trusty are also backported to 15.04. I upgraded to 15.04 to enjoy newer features.
I was expecting to only see new bugs related to those newer features that I chose to upgrade to, not expecting patches that made it to 14.04 didn't make it to 15.04.
Like this one and Bug #1399027.

Since 15.10 is expected near the end of the month I am not really expecting this to get into 15.04 now.
In the future it would be nice if SRU meant fixing both the LTS and the current stable Ubuntu release.

tags: added: saucy trusty vivid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers