Cannot Add Request Hat or Use Default Hat in aa-logprof and mod_apparmor

Bug #1752365 reported by Gold Star on 2018-02-28
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)

Bug Description

After installing apparmor, apparmor-utils, and libapache2-mod-apparmor and enabling a virtual host that uses the changehat feature, it is impossible to "(A)dd Requested Hat" or "(U)se Default Hat" because there isinconsistent use of q.promptUser() call in the " elif type == 'unknown_hat' block on line 1097 in

  ans = q.promptUser()
  ans = q.promptUser()[0].strip()
  ans, selected = q.promptUser()
  ans, arg = q.promptUser()
resolves this problem because ans is no longer assigned a tuple data type and can be evaluated against CMD_* variables

Further execution of code is buggy due to collection.defaultdict(hasher(), {}) not having certain methods but that is not within the scope of this bug report.


Debugging info:

uname -a:
Linux hostname 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

cat /etc/issue
Ubuntu 16.04.3 LTS \n \l

apt-cache policy apparmor-utils
  Installed: 2.10.95-0ubuntu2.8
  Candidate: 2.10.95-0ubuntu2.8
 *** 2.10.95-0ubuntu2.8 500
        500 xenial-updates/main amd64 Packages
        100 /var/lib/dpkg/status

apt-cache policy apparmor
  Installed: 2.10.95-0ubuntu2.6
  Candidate: 2.10.95-0ubuntu2.8
  Version table:
     2.10.95-0ubuntu2.8 500
        500 xenial-updates/main amd64 Packages

apt-cache policy libapache2-mod-apparmor
  Installed: 2.10.95-0ubuntu2.8
  Candidate: 2.10.95-0ubuntu2.8
  Version table:
 *** 2.10.95-0ubuntu2.8 500
        500 xenial-updates/main amd64 Packages
        100 /var/lib/dpkg/status

Gold Star (goldstar611) on 2018-02-28
description: updated
Gold Star (goldstar611) on 2018-02-28
description: updated
Christian Boltz (cboltz) wrote :

For the records: this is already fixed upstream (checked in master and the latest 2.11 branch), so Ubuntu "just" needs to pick up the fix.

commit e2039f021e42793e07c1838499eae9c22e1ea8f2
Author: Christian Boltz <email address hidden>
Date: Mon Aug 15 22:02:55 2016 +0200

See for details.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.12-4ubuntu1

apparmor (2.12-4ubuntu1) bionic; urgency=medium

  [ Tyler Hicks ]
  * Merge from Debian to get gbp-pq related packaging improvements. Thanks to
    intrigeri for making those improvements! Remaining Ubuntu changes:
    - debian/gbp.conf: Use ubuntu/master as the debian-branch
    - Update package maintainer to be Ubuntu Developers in the control file
    - Call handle_system_policy_package_updates in apparmor.init.
      This is needed for snappy and system-images. Note that this prevents
      using a remove /var.
    - Apply Ubuntu-specific patches
      + parser-include-usr-share-apparmor.patch
      + profiles-grant-access-to-systemd-resolved.patch
      + add-chromium-browser.patch
    - Install Ubuntu chromium-browser profile and abstraction
    - Feature pinning is not used in Ubuntu

  [ intrigeri ]
  * Adjust the Vcs-{Browser,Git} control fields to reflect the branch where
    the Ubuntu packaging is maintained.

apparmor (2.12-4) unstable; urgency=medium

  * Migrate patch handling to gbp-pq (Closes: #888244).
  * Merge 2.12-3ubuntu1 (dropping the Ubuntu delta):
    - upstream-commit-46f88f5-properly-identify-empty-ouid-fsuid-fields.patch:
      new patch, properly identify empty ouid/fsuid fields in logs.
    - upstream-commit-130958a-allow-shell-helper-read-locale.patch:
      new patch, allow the shell helper regression test program read
      the locale.

 -- Tyler Hicks <email address hidden> Mon, 19 Mar 2018 16:24:57 +0000

Changed in apparmor (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers