and a test profile based on the firefox profile (saved locally as usr.bin.firefox.apparmor.lp1576118 - but I'd guess any profile including abstractions/ubuntu-helpers can be used to reproduce this bug).
The problem is that the sanitized_helper subprofile is defined in an abstraction, but aa-logprof tries to store your changes in a subprofile of firefox. (By including abstractions/ubuntu-helpers (which contains sanitized_helper), it becomes a child profile of the firefox profile - but aa-logprof doesn't understand this and internally stores the content of include files at a different location.)
Getting this bug fixed will be interesting[tm] because aa-logprof would have to modify the abstraction - but that would also change it for other profiles using sanitized_helper, so we'll need to discuss/decide how to handle this.
For now, please choose "(I)gnore" when aa-logprof asks to add something to the sanitized_helper subprofile to avoid the crash, and edit sanitized_helper manually.
Thanks for the report!
I can reproduce it with this (faked) log event:
python3 aa-logprof -d ../profiles/ apparmor. d -f <(echo 'Apr 5 19:30:56 precise-amd64 kernel: [153073.826757] type=1400 audit(130876694 0.698:3704) : apparmor="DENIED" operation="sendmsg" parent=24737 profile= "firefox/ /sanitized_ helper" pid=24743 comm="firefox" laddr=192. 168.66. 150 lport=765 faddr=192. 168.66. 200 fport=2049 family="netlink" sock_type="raw" protocol=6')
and a test profile based on the firefox profile (saved locally as usr.bin. firefox. apparmor. lp1576118 - but I'd guess any profile including abstractions/ ubuntu- helpers can be used to reproduce this bug).
The problem is that the sanitized_helper subprofile is defined in an abstraction, but aa-logprof tries to store your changes in a subprofile of firefox. (By including abstractions/ ubuntu- helpers (which contains sanitized_helper), it becomes a child profile of the firefox profile - but aa-logprof doesn't understand this and internally stores the content of include files at a different location.)
Getting this bug fixed will be interesting[tm] because aa-logprof would have to modify the abstraction - but that would also change it for other profiles using sanitized_helper, so we'll need to discuss/decide how to handle this.
For now, please choose "(I)gnore" when aa-logprof asks to add something to the sanitized_helper subprofile to avoid the crash, and edit sanitized_helper manually.