2015-05-18 16:16:01 |
Steve Beattie |
description |
I am trying to profile apache2 with aa-logprof. As part of that I ran into the following problem
root@tim-X220:~# aa-logprof -m LOGMARK1
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Traceback (most recent call last):
File "/usr/sbin/aa-logprof", line 52, in <module>
apparmor.do_logprof_pass(logmark)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2262, in do_logprof_pass
handle_children('', '', root)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1237, in handle_children
sev_db.load_variables(profile)
File "/usr/lib/python3/dist-packages/apparmor/severity.py", line 180, in load_variables
for line in f_in:
File "/usr/lib/python3.4/codecs.py", line 704, in __next__
return next(self.reader)
File "/usr/lib/python3.4/codecs.py", line 635, in __next__
line = self.readline()
File "/usr/lib/python3.4/codecs.py", line 548, in readline
data = self.read(readsize, firstline=True)
File "/usr/lib/python3.4/codecs.py", line 494, in read
newchars, decodedbytes = self.decode(data, self.errors)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xc6 in position 24: invalid continuation byte
When I trace back I find that on line 1237 the path to binary is passed to "load_variables" when it expects the path to the profile related to a binary. As a result it opens the binary and tries to process it as a profile. I suspect this but will appear as a range of Unicode style errors depending on what executable is being passed.
The fix is fairly simple. On line 1237 change
sev_db.load_variables(profile)
to
sev_db.load_variables(get_profile_filename(profile))
Attached is a patch for this. |
[impact]
This bug makes it difficult for trusty users to use the apparmor policy
utilities.
[steps to reproduce]
See below
[regression potential]
This issue is being addressed by updating the python utilities to the
version in apparmor 2.9.2 as tracked in bug 1449769. This represents are
large change which would normally be risky; however, these changes are
isolated to the python utils (so no changes to the policy parser/loader
or enforcement), there are a large number of bugs that exist in the
trusty version that make using the tools difficult, so it would be
difficult to regress further, and the updated version includes many new
unit tests to try to prevent from regressions from occurring.
[additional info]
The python utils testsuite is run as part of the test-apparmor.py test
script in lp:qa-regression-testing. The test-apparmor.py also has
additional basic usage tests to ensure that basic functionality is
maintained. These tests are run as part of the process fro each kernel
update.
[original description]
I am trying to profile apache2 with aa-logprof. As part of that I ran into the following problem
root@tim-X220:~# aa-logprof -m LOGMARK1
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Traceback (most recent call last):
File "/usr/sbin/aa-logprof", line 52, in <module>
apparmor.do_logprof_pass(logmark)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2262, in do_logprof_pass
handle_children('', '', root)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1237, in handle_children
sev_db.load_variables(profile)
File "/usr/lib/python3/dist-packages/apparmor/severity.py", line 180, in load_variables
for line in f_in:
File "/usr/lib/python3.4/codecs.py", line 704, in __next__
return next(self.reader)
File "/usr/lib/python3.4/codecs.py", line 635, in __next__
line = self.readline()
File "/usr/lib/python3.4/codecs.py", line 548, in readline
data = self.read(readsize, firstline=True)
File "/usr/lib/python3.4/codecs.py", line 494, in read
newchars, decodedbytes = self.decode(data, self.errors)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xc6 in position 24: invalid continuation byte
When I trace back I find that on line 1237 the path to binary is passed to "load_variables" when it expects the path to the profile related to a binary. As a result it opens the binary and tries to process it as a profile. I suspect this but will appear as a range of Unicode style errors depending on what executable is being passed.
The fix is fairly simple. On line 1237 change
sev_db.load_variables(profile)
to
sev_db.load_variables(get_profile_filename(profile))
Attached is a patch for this. |
|