aa-logprof crash if changing sanitized_helpers subprofile
Bug #1576118 reported by
EdiD
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned | ||
apparmor (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
In Ubuntu 16.04 when creating apparmor profile using aa-genprof it crashes complaining about python3. The same with aa-logprof
To post a comment you must log in.
Thanks for the report!
I can reproduce it with this (faked) log event:
python3 aa-logprof -d ../profiles/ apparmor. d -f <(echo 'Apr 5 19:30:56 precise-amd64 kernel: [153073.826757] type=1400 audit(130876694 0.698:3704) : apparmor="DENIED" operation="sendmsg" parent=24737 profile= "firefox/ /sanitized_ helper" pid=24743 comm="firefox" laddr=192. 168.66. 150 lport=765 faddr=192. 168.66. 200 fport=2049 family="netlink" sock_type="raw" protocol=6')
and a test profile based on the firefox profile (saved locally as usr.bin. firefox. apparmor. lp1576118 - but I'd guess any profile including abstractions/ ubuntu- helpers can be used to reproduce this bug).
The problem is that the sanitized_helper subprofile is defined in an abstraction, but aa-logprof tries to store your changes in a subprofile of firefox. (By including abstractions/ ubuntu- helpers (which contains sanitized_helper), it becomes a child profile of the firefox profile - but aa-logprof doesn't understand this and internally stores the content of include files at a different location.)
Getting this bug fixed will be interesting[tm] because aa-logprof would have to modify the abstraction - but that would also change it for other profiles using sanitized_helper, so we'll need to discuss/decide how to handle this.
For now, please choose "(I)gnore" when aa-logprof asks to add something to the sanitized_helper subprofile to avoid the crash, and edit sanitized_helper manually.