aa-genprof traceback with apparmor 2.8.95

Bug #1294797 reported by Jamie Strandboge on 2014-03-19
44
This bug affects 10 people
Affects Status Importance Assigned to Milestone
AppArmor
Undecided
Unassigned
apparmor (Ubuntu)
Medium
Unassigned
Trusty
Medium
Marc Deslauriers

Bug Description

[impact]

This bug makes it difficult for trusty users to use the apparmor policy utilities.

[steps to reproduce]

See below

[regression potential]

This issue is being addressed by updating the python utilities to the version in apparmor 2.9.2 as tracked in bug 1449769. This represents are large change which would normally be risky; however, these changes are isolated to the python utils (so no changes to the policy parser/loader or enforcement), there are a large number of bugs that exist in the trusty version that make using the tools difficult, so it would be difficult to regress further, and the updated version includes many new unit tests to try to prevent from regressions from occurring.

[additional info]

The python utils testsuite is run as part of the test-apparmor.py test
script in lp:qa-regression-testing. The test-apparmor.py also has
additional basic usage tests to ensure that basic functionality is
maintained. These tests are run as part of the process fro each kernel
update.

[original description]

In a terminal, I run:

$ sudo aa-genprof /usr/bin/empathy
...
[(S)can system log for AppArmor events] / (F)inish

At this point, I start empathy, then stop it.

Now I go back to the terminal:
<press S>
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Traceback (most recent call last):
  File "/usr/sbin/aa-genprof", line 150, in <module>
    lp_ret = apparmor.do_logprof_pass(logmark, passno)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2240, in do_logprof_pass
    read_profiles()
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2558, in read_profiles
    read_profile(profile_dir + '/' + file, True)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2584, in read_profile
    profile_data = parse_profile_data(data, file, 0)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2689, in parse_profile_data
    filelist[file]['profiles'][profile][hat] = True
TypeError: 'bool' object does not support item assignment

If I run it again, I get a different traceback:
Traceback (most recent call last):
  File "/usr/sbin/aa-genprof", line 150, in <module>
    lp_ret = apparmor.do_logprof_pass(logmark, passno)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2240, in do_logprof_pass
    read_profiles()
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2558, in read_profiles
    read_profile(profile_dir + '/' + file, True)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2584, in read_profile
    profile_data = parse_profile_data(data, file, 0)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 3031, in parse_profile_data
    raise AppArmorException(_('Syntax Error: Unknown line found in file: %s line: %s') % (file, lineno + 1))
apparmor.common.AppArmorException: 'Syntax Error: Unknown line found in file: /etc/apparmor.d/zz-unconfined line: 3'

/etc/apparmor.d/zz-unconfined contains:
# v2 compatible wildly permissive profile
profile "zz_unconfined" {
  capability,
  network,
  /** rwlkm,
  /** pix,

  # TODO: when dbus hits:
  dbus,
}

Jamie Strandboge (jdstrand) wrote :
Jamie Strandboge (jdstrand) wrote :

Here is /etc/apparmor and /etc/apparmor.d

Tyler Hicks (tyhicks) wrote :

The bug that tracks the second traceback is bug #1294819

Christian Boltz (cboltz) wrote :

Workaround: aa-autodep $program ; aa-genprof $program
(or just start aa-genprof $program a second time, this time it will work because it has done the aa-autodep stuff before crashing)

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Christian Boltz (cboltz) wrote :

The first backtrace is tracked in bug 1319829 (fix commited to bzr r2516), and bug #1294819 (for the second backtrace) was also fixed.

This means this bug is fixed :-)

Changed in apparmor:
status: New → Fix Committed
Changed in apparmor (Ubuntu):
status: Confirmed → Fix Released
Changed in apparmor (Ubuntu Trusty):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apparmor:
milestone: none → 2.9.0
Steve Beattie (sbeattie) wrote :

Apparmor 2.9.0 has been released; closing.

Changed in apparmor:
status: Fix Committed → Fix Released
Changed in apparmor (Ubuntu Trusty):
status: Triaged → Fix Released
Mathew Hodson (mathew-hodson) wrote :

The fix has not been released for trusty, so that task should be changed back to Triaged.

apparmor is still 2.8.95~2430-0ubuntu5 in trusty

Changed in apparmor (Ubuntu Trusty):
status: Fix Released → Confirmed
tags: added: trusty
Steve Beattie (sbeattie) on 2015-05-18
description: updated
Steve Beattie (sbeattie) wrote :

I have reproduced the traceback when profiling empathy with apparmor 2.8.95~2430-0ubuntu5.1 from trusty-updates, and can confirm that apparmor 2.8.95~2430-0ubuntu5.2 from trusty-proposed fixes the problem. Marking verification-done.

tags: added: verification-done
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.95~2430-0ubuntu5.2

---------------
apparmor (2.8.95~2430-0ubuntu5.2) trusty-proposed; urgency=medium

  * debian/patches/php5-Zend_semaphore-lp1401084.patch: allow php5
    abstraction access to Zend opcache files (LP: #1401084)
  * debian/patches/dnsmasq-lxc_networking-lp1403468.patch: update
    profile for lxc support (LP: #1403468)
  * debian/patches/profiles-texlive_font_generation-lp1010909.patch:
    allow generation of texlive fonts by sanitized-helpers
    (LP: #1010909)
  * debian/apport/source_apparmor.py: fix the apparmor apport hook
    so it does not raise an exception if a non-unicode character is
    found in /var/log/kern.log or in /var/log/syslog. This should
    work under python3 or python2.7 (LP: #1304447)
  * debian/patches/profiles-dovecot-updates-lp1296667.patch: update
    dovecot profiles to address several missing permissions.
    (LP: #1296667)
  * debian/patches/profiles-adjust_X_for_lightdm-lp1339727.patch:
    adjust X abstraction for LightDM xauthority location (LP: #1339727)
  * debian/patches/libapparmor-fix_memory_leaks-lp1340927.patch; fix
    memory leaks in log parsing component of libapparmor (LP: #1340927)
  * debian/patches/libapparmor-another_audit_format-lp1399027.patch:
    add support for another log format style (LP: #1399027)
  * debian/patches/tests-workaround_for_unix_socket_change-lp1425398.patch:
    work around apparmor kernel behavioral change in regression tests
    (LP: #1425398)
  * debian/control: add breaks on python3-apparmor against older
    apparmor-utils that used to be where python bits lived
    (LP: #1373259)
  * debian/patches/utils-update_to_2.9.2.patch: update the python
    utilities to the upstream 2.9.2 (LP: #1449769, incorporating a
    large number of fixes and improvements, including:
    - fix aa-genprof traceback with apparmor 2.8.95 (LP: #1294797)
    - fix aa-genprof crashing when selecting scan on Ubuntu 14.04 server
      (LP: #1319829)
    - make aa-logprof read profile instead of program binary
      (LP: #1317176, LP: #1324154)
    - aa-complain: don't traceback when marking multiple profiles
      (LP: #1378095)
    - make python tools able to parse mounts with UTF-8 non-ascii
      characters (LP: #1310598)

 -- Steve Beattie <email address hidden> Thu, 30 Apr 2015 12:18:08 -0700

Changed in apparmor (Ubuntu Trusty):
status: Confirmed → Fix Released

The verification of the Stable Release Update for apparmor has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Changed in apparmor (Ubuntu):
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers