aa-complain crashed with apparmor.common.AppArmorException in get_profile_flags(): '/etc/apparmor.d/usr.bin.chromium-browser contains no profile'

Bug #1296218 reported by Rainer Dickermann on 2014-03-23
60
This bug affects 11 people
Affects Status Importance Assigned to Milestone
AppArmor
Undecided
Unassigned
Release Notes for Ubuntu
Undecided
Unassigned
apparmor (Ubuntu)
Medium
Unassigned
Trusty
Medium
Unassigned
Utopic
Medium
Unassigned

Bug Description

Here the profile exists
-------------------------------
$ sudo aa-autodep /usr/bin/chromium-browser
Profile for /usr/bin/chromium-browser already exists - skipping.
----------------------------
Here it doesn't exist
----------------------------
$ sudo aa-genprof /usr/bin/chromium-browser
Traceback (most recent call last):
  File "/usr/sbin/aa-genprof", line 102, in <module>
    apparmor.helpers[program] = apparmor.get_profile_flags(profile_filename, program)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 600, in get_profile_flags
    raise AppArmorException(_('%s contains no profile') % filename)
apparmor.common.AppArmorException: '/etc/apparmor.d/usr.bin.chromium-browser contains no profile'
-------------------------------
and finally this crashes again
-------------------------------
$ sudo aa-complain /usr/bin/chromium-browser
Setting /usr/bin/chromium-browser to complain mode.
Traceback (most recent call last):
  File "/usr/sbin/aa-complain", line 30, in <module>
    tool.cmd_complain()
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 178, in cmd_complain
    apparmor.set_complain(profile, program)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 264, in set_complain
    change_profile_flags(filename, program, 'complain', True)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 603, in change_profile_flags
    old_flags = get_profile_flags(filename, program)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 600, in get_profile_flags
    raise AppArmorException(_('%s contains no profile') % filename)
apparmor.common.AppArmorException: '/etc/apparmor.d/usr.bin.chromium-browser contains no profile'

ProblemType: Crash
DistroRelease: Ubuntu 14.04
Package: apparmor-utils 2.8.95~2430-0ubuntu2
ProcVersionSignature: Ubuntu 3.13.0-18.38-lowlatency 3.13.6
Uname: Linux 3.13.0-18-lowlatency x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.13.3-0ubuntu1
Architecture: amd64
Date: Sun Mar 23 08:47:30 2014
ExecutablePath: /usr/sbin/aa-complain
InstallationDate: Installed on 2014-03-08 (14 days ago)
InstallationMedia: Ubuntu-Studio 14.04 "Trusty Tahr" - Alpha amd64 (20140224)
InterpreterPath: /usr/bin/python3.4
ProcCmdline: /usr/bin/python3 /usr/sbin/aa-complain /usr/bin/chromium-browser
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-3.13.0-18-lowlatency root=UUID=4333a8e9-30cd-431d-8682-8211c549f168 ro quiet splash vt.handoff=7
PythonArgs: ['/usr/sbin/aa-complain', '/usr/bin/chromium-browser']
SourcePackage: apparmor
Title: aa-complain crashed with apparmor.common.AppArmorException in get_profile_flags(): '/etc/apparmor.d/usr.bin.chromium-browser contains no profile'
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups:

information type: Private Security → Public
tags: removed: need-duplicate-check
Changed in apparmor (Ubuntu):
importance: Undecided → Medium
Steve Beattie (sbeattie) wrote :

I suspect that the fact that the profile is named usr.bin.chromium-browser but contains a profile for the /usr/lib/chromium-browser/chromium-browser profile is confusing the tools here.

Changed in apparmor:
status: New → Confirmed
Changed in apparmor (Ubuntu):
status: New → Confirmed
MattJ (mwild1) wrote :

I'm also experiencing this, but not with the chromium-browser profile. I'm still trying to learn AppArmor, and am trying to create a profile for Spotify. I have attached the profile. I get this output:

$ sudo aa-complain /opt/spotify/spotify-client/spotify
Setting /opt/spotify/spotify-client/spotify to complain mode.
Traceback (most recent call last):
  File "/usr/sbin/aa-complain", line 30, in <module>
    tool.cmd_complain()
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 178, in cmd_complain
    apparmor.set_complain(profile, program)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 267, in set_complain
    change_profile_flags(filename, program, 'complain', True)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 606, in change_profile_flags
    old_flags = get_profile_flags(filename, program)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 603, in get_profile_flags
    raise AppArmorException(_('%s contains no profile') % filename)
apparmor.common.AppArmorException: '/etc/apparmor.d/opt.spotify.spotify-client.spotify contains no profile'

As far as I can see the profile's filename and the name of the binary in the profile match.

Seth Arnold (seth-arnold) wrote :

I wonder if the quotes around the executable name are the cause of this problem?

MattJ, in the meantime, you can replace this line:

"/opt/spotify/spotify-client/spotify" {

with:

"/opt/spotify/spotify-client/spotify" (complain) {

and then re-load the profile with e.g.:

sudo apparmor_parser --replace /etc/apparmor.d/opt.spotify.spotify-client.spotify

Thanks for the report

MattJ (mwild1) wrote :

Aha! I can confirm that removing the quotes indeed did the trick. They were put there by aa-easyprof.

And thanks for the tip about '(complain)' :)

Christian Boltz (cboltz) wrote :

Can you please try with this patch? (Apply it to /usr/lib/python3/dist-packages/apparmor/aa.py)

It should solve the problem, but I gave it only 5 minutes of testing.

Notes and related bugs (with the patch applied):
- aa-complain fails to add the complain flag as long as the quotes exist - while reporting success :-/
- the quotes will be removed when saving the profile (for example with aa-cleanprof)
- we should test the patch with a profile/binary that contains spaces (the quotes must be preserved in that case)
- there are other regexes that handle quotes: RE_PROFILE_ALIAS, RE_PROFILE_CHANGE_HAT, RE_PROFILE_HAT_DEF - they probably also need to be changed

Christian Boltz (cboltz) wrote :

Here's v2 of the patch that fixes the issue with aa-complain. (It turned out that set_profile_flags() uses its own regex, which needed a similar fix.)

Compared to v1, I also fixed the handling of profile "/foo" - that's the ("??.+?"??) -> "?(.+?)"?? change. Besides the obvious move of the parenthesis, also note the removed questionmark which is an important part of the fix.

The other notes from my previous comment/patch still apply.

The attachment "quick patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Christian Boltz (cboltz) wrote :

Patch commited to brz r2536.

> Notes and related bugs (with the patch applied):
> - aa-complain fails to add the complain flag as long as the quotes exist - while reporting success :-/

Works now.

> - the quotes will be removed when saving the profile (for example with aa-cleanprof)
> - we should test the patch with a profile/binary that contains spaces (the quotes must be preserved in that case)

Tested, works - quotes will be kept (only) if needed.

> - there are other regexes that handle quotes: RE_PROFILE_ALIAS, RE_PROFILE_CHANGE_HAT, RE_PROFILE_HAT_DEF - they probably also need to be changed

Reported as https://bugs.launchpad.net/apparmor/+bug/1332292 for further handling.

In other words: nothing left for this bugreport, therefore closing as fixed.

Changed in apparmor:
status: Confirmed → Fix Committed
Steve Beattie (sbeattie) on 2014-06-19
Changed in apparmor:
milestone: none → 2.9.0
Changed in apparmor (Ubuntu Utopic):
status: Confirmed → Fix Released
Changed in apparmor (Ubuntu Trusty):
status: New → Triaged
milestone: none → trusty-updates
importance: Undecided → Medium
Steve Beattie (sbeattie) wrote :

Apparmor 2.9.0 has been released; closing.

Changed in apparmor:
status: Fix Committed → Fix Released
Changed in apparmor (Ubuntu Trusty):
status: Triaged → Fix Released
Mathew Hodson (mathew-hodson) wrote :

The fix has not been released for trusty, so that task should be changed back to Triaged.

apparmor is still 2.8.95~2430-0ubuntu5.1 in trusty

Mathew Hodson (mathew-hodson) wrote :

This issue still exists on trusty.

$ apt list apparmor
Listing... Done
apparmor/trusty-proposed,now 2.8.95~2430-0ubuntu5.3 amd64 [installed,automatic]

$ sudo aa-autodep /usr/bin/chromium-browser
Profile for /usr/bin/chromium-browser already exists - skipping.
$ sudo aa-genprof /usr/bin/chromium-browser
Traceback (most recent call last):
  File "/usr/sbin/aa-genprof", line 107, in <module>
    apparmor.helpers[program] = apparmor.get_profile_flags(profile_filename, program)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 613, in get_profile_flags
    raise AppArmorException(_('%s contains no profile') % filename)
apparmor.common.AppArmorException: '/etc/apparmor.d/usr.bin.chromium-browser contains no profile'
$ sudo aa-complain /usr/bin/chromium-browser
Setting /usr/bin/chromium-browser to complain mode.
Traceback (most recent call last):
  File "/usr/sbin/aa-complain", line 30, in <module>
    tool.cmd_complain()
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 164, in cmd_complain
    apparmor.set_complain(profile, program)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 275, in set_complain
    change_profile_flags(filename, program, 'complain', True)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 616, in change_profile_flags
    old_flags = get_profile_flags(filename, program)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 613, in get_profile_flags
    raise AppArmorException(_('%s contains no profile') % filename)
apparmor.common.AppArmorException: '/etc/apparmor.d/usr.bin.chromium-browser contains no profile'

Changed in apparmor (Ubuntu Trusty):
status: Fix Released → Triaged
Sebastien Bacher (seb128) wrote :

The bug has no debdiff to review and isn't SRU compliant (not impact/test case/regression description), doesn't seem it's waiting on sponsoring but needs work first, unsubscribing sponsors, please subscribe them back once there is an update ready for upload

Changed in ubuntu-release-notes:
status: New → Fix Released
tags: added: aa-tools
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers