aa-logprof crash if changing sanitized_helpers subprofile

Bug #1576118 reported by EdiD on 2016-04-28
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)

Bug Description

In Ubuntu 16.04 when creating apparmor profile using aa-genprof it crashes complaining about python3. The same with aa-logprof

EdiD (grzesiek20) wrote :
description: updated
Christian Boltz (cboltz) wrote :

Thanks for the report!

I can reproduce it with this (faked) log event:

python3 aa-logprof -d ../profiles/apparmor.d -f <(echo 'Apr 5 19:30:56 precise-amd64 kernel: [153073.826757] type=1400 audit(1308766940.698:3704): apparmor="DENIED" operation="sendmsg" parent=24737 profile="firefox//sanitized_helper" pid=24743 comm="firefox" laddr= lport=765 faddr= fport=2049 family="netlink" sock_type="raw" protocol=6')

and a test profile based on the firefox profile (saved locally as usr.bin.firefox.apparmor.lp1576118 - but I'd guess any profile including abstractions/ubuntu-helpers can be used to reproduce this bug).

The problem is that the sanitized_helper subprofile is defined in an abstraction, but aa-logprof tries to store your changes in a subprofile of firefox. (By including abstractions/ubuntu-helpers (which contains sanitized_helper), it becomes a child profile of the firefox profile - but aa-logprof doesn't understand this and internally stores the content of include files at a different location.)

Getting this bug fixed will be interesting[tm] because aa-logprof would have to modify the abstraction - but that would also change it for other profiles using sanitized_helper, so we'll need to discuss/decide how to handle this.

For now, please choose "(I)gnore" when aa-logprof asks to add something to the sanitized_helper subprofile to avoid the crash, and edit sanitized_helper manually.

tags: added: aa-tools
summary: - python3 related errors
+ aa-logprof crash if changing sanitized_helpers subprofile
EdiD (grzesiek20) wrote :

Thanks for the reply. Apparmor is crashing and complaining about pyton3 (in Xenial) even when creating totally new profile with aa-genprof.

Christian Boltz (cboltz) wrote :

Hmm, this shouldn't happen ;-)

If I change my reproducer to profile="firefox" (instead of "firefox//sanitized_helper"), aa-logprof can successfully add the needed rule to the profile. (Note that my test profile differs slightly from the Ubuntu profile, but that shouldn't matter for this bug.)

You should at least see a different error message ;-) which would mean another bug.

Please attach the output of aa-genprof (how you call it, the start and at least the last two permissions it asks about - or just everything). If it crashes with a different error message, please open a new bugreport for it, otherwise attach it here.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers