aa-logprof crash on #include <directory>

Bug #1471425 reported by Christian Boltz on 2015-07-04
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Undecided
Christian Boltz
2.9
Undecided
Unassigned
apparmor (Ubuntu)
Undecided
Unassigned

Bug Description

aa-logprof crashes on profiles that contain an #include <directory> _if_ there are events for this profile.

2.9 crash:

# aa-logprof -f /tmp/syslog
Lese Logeinträge von /tmp/syslog.
Aktualisiere AppArmor-Profile in /etc/apparmor.d.
Traceback (most recent call last):
  File "aa-logprof", line 54, in <module>
    apparmor.do_logprof_pass(logmark)
  File "/home/cb/apparmor/2.9-branch/utils/apparmor/aa.py", line 2297, in do_logprof_pass
    collapse_log()
  File "/home/cb/apparmor/2.9-branch/utils/apparmor/aa.py", line 2533, in collapse_log
    if not profile_known_network(aa[profile][hat], family, sock_type):
  File "/home/cb/apparmor/2.9-branch/utils/apparmor/aa.py", line 4394, in profile_known_network
    if netrules_access_check(include[incname][incname]['deny']['netdomain'], family, sock_type):
KeyError: 'apache2.d'

trunk crash:

# aa-logprof -f /tmp/syslog
Lese Logeinträge von /tmp/syslog.
Aktualisiere AppArmor-Profile in /etc/apparmor.d.
Traceback (most recent call last):
  File "aa-logprof", line 50, in <module>
    apparmor.do_logprof_pass(logmark)
  File "/home/cb/apparmor/HEAD-clean/utils/apparmor/aa.py", line 2189, in do_logprof_pass
    collapse_log()
  File "/home/cb/apparmor/HEAD-clean/utils/apparmor/aa.py", line 2426, in collapse_log
    if not is_known_rule(aa[profile][hat], 'network', NetworkRule(family, sock_type)):
  File "/home/cb/apparmor/HEAD-clean/utils/apparmor/aa.py", line 4099, in is_known_rule
    if include[incname][incname].get(rule_type, False):
KeyError: 'apache2.d'

Reproducer: (slightly faked log event, apache didn't request network raw)

aa-logprof -f <(echo 'Jul 2 06:39:54 piorun kernel: [5579093.070893] audit: type=1400 audit(1435811994.122:696484): apparmor="ALLOWED" operation="accept" profile="/usr/sbin/apache2" pid=18852 comm="apache2" lport=443 family="inet6" sock_type="raw" protocol=6')

Note: If you test with old logs, it doesn't happen always because is_known_rule() / profile_known_*() exits as soon as it finds a match, and the order of include files is random - which means it doesn't always loop until it hits the directory include.

I'm afraid that this affects the profile_known_*() functions for all rule types.

Christian Boltz (cboltz) on 2015-07-04
tags: added: aa-tools
Christian Boltz (cboltz) wrote :

patches for trunk sent to ML.

Changed in apparmor:
status: New → In Progress
assignee: nobody → Christian Boltz (cboltz)
Christian Boltz (cboltz) wrote :

Patch for 2.9 also sent to ML.

Note that the trunk patch actually honors the content of the include directory, while the 2.9 patch "just" avoids the crash.

Christian Boltz (cboltz) wrote :

Patches commited to trunk and 2.9.

Changed in apparmor:
status: In Progress → Fix Committed
milestone: none → 2.9.3
Christian Boltz (cboltz) on 2015-07-14
Changed in apparmor:
milestone: 2.9.3 → 2.10
Steve Beattie (sbeattie) wrote :

AppArmor 2.10 has been released: https://launchpad.net/apparmor/2.10/2.10

Changed in apparmor:
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.10-0ubuntu2

---------------
apparmor (2.10-0ubuntu2) wily; urgency=medium

  * debian/patches/aa-status-dont_require_python3-apparmor.patch:
    make aa-status(8) work even when python3-apparmor is not installed,
    otherwise dh_apparmor postinst snippets can fail (LP: #1480492)
  * debian/control: make apparmor-utils depend on the same package
    version of python3-apparmor

 -- Steve Beattie <email address hidden> Fri, 31 Jul 2015 16:35:03 -0700

Changed in apparmor (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers