"force-complain" and "disable" directories breaks aa-genprof

Bug #331534 reported by Dan Munckton on 2009-02-19
6
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
Jamie Strandboge
Hardy
Undecided
Unassigned
Intrepid
Undecided
Jamie Strandboge
Jaunty
Undecided
Jamie Strandboge

Bug Description

Binary package hint: apparmor

Running aa-genprof on Hardy outputs the following:

    $ sudo aa-genprof /usr/sbin/apache2

    Include file force-complain/usr.sbin.named contains syntax errors or is not a valid #include file.

I narrowed the error down to the loadincludes() sub in /usr/share/perl5/Immunix/SubDomain.pm - it expects all subdirectories of /etc/apparmor.d/ to contain only 'include' style files. Consequently when parsing force-complain/usr.sbin.named it hits the line ...

   /usr/sbin/named {

... and bails out.

A similar error is reported on Intrepid.

I see that the "force-complain" directory was introduced by the change resulting from bug 203137

Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and taking the time to report a bug. This also affects the /etc/apparmor.d/disable directory.

Changed in apparmor:
assignee: nobody → jdstrand
status: New → Confirmed
assignee: nobody → jdstrand
status: New → Confirmed
status: New → Confirmed
Changed in apparmor:
assignee: jdstrand → nobody
Jamie Strandboge (jdstrand) wrote :

Actually, Hardy had in SubDomain.pm:

sub isSkippableFile($) {
    my $path = shift;

    return ($path =~ /(^|\/)\.[^\/]*$/
            || $path =~ /\.rpm(save|new)$/
            || $path =~ /\.dpkg-(old|new|dist)$/
            || -e "$profiledir/disable/$path"
            || $path =~ /\~$/);
}

The '|| -e "$profiledir/disable/$path"' was dropped in Intrepid. So 'disable' didn't cause problems in Hardy.

Jamie Strandboge (jdstrand) wrote :

Here is the patch I am putting into Jaunty.

Changed in apparmor:
status: Confirmed → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.3+1289-0ubuntu8

---------------
apparmor (2.3+1289-0ubuntu8) jaunty; urgency=low

  * abstractions/ssl_keys: allow read access to all of /etc/ssl (LP: #317109)
  * utils/SubDomain.pm: re-add dropped patch to not process disable/ as
    include files, and also don't process force-complain/ (LP: #331534)

 -- Jamie Strandboge <email address hidden> Thu, 12 Mar 2009 12:53:08 -0500

Changed in apparmor:
status: In Progress → Fix Released
John Dong (jdong) wrote :

This bug affects Hardy too, namely the force-complain dir is installed by packages such as freshclam, leading to the same error as the original bug filer reported.

A debdiff for a Hardy SRU is at http://jdong.mit.edu/~jdong/motu/apparmor_2.1+1075-0ubuntu9.2.debdiff

Martin Pitt (pitti) wrote :

Jamie, please review and upload if appropriate.

Jamie Strandboge (jdstrand) wrote :

The patch looks good. I uploaded it to hardy-proposed also uploaded a patched package for Intrepid using the patch I used in Jaunty.

IMPACT: aa-genprof cannot be used to generate new profiles when profiles are in force-complain mode (hardy and intrepid) or disabled (intrepid)

DEV RELEASE: it is fixed in the Jaunty with the attached patch

TEST CASE (hardy):
1. ln -s /etc/apparmor.d/usr.sbin.cupsd /etc/apparmor.d/force-complain
2. sudo aa-genprof /usr/bin/yes

TEST CASE (intrepid):
1. ln -s /etc/apparmor.d/usr.sbin.cupsd /etc/apparmor.d/force-complain
2. sudo aa-genprof /usr/bin/yes
3. rm -f /etc/apparmor.d/force-complain/usr.sbin.cupsd
4. /etc/apparmor.d/usr.sbin.cupsd /etc/apparmor.d/disable
5. sudo aa-genprof /usr/bin/yes

REGRESSION POTENTIAL: considered to be low due to a very minimal patch to ignore more directories in /etc/apparmor.d. The patched file is used by all the apparmor helper functions, but a regression should not cause a problem with apparmor protections or profile manipulation via apparmor_parser.

Changed in apparmor (Ubuntu Intrepid):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Confirmed → Fix Committed
Changed in apparmor (Ubuntu Hardy):
status: Confirmed → Fix Committed
Martin Pitt (pitti) wrote :

Accepted apparmor into intrepid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Jamie Strandboge (jdstrand) wrote :

Tested both Hardy and Intrepid and the test cases now work properly.

Martin Pitt (pitti) on 2009-05-11
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.1+1075-0ubuntu9.2

---------------
apparmor (2.1+1075-0ubuntu9.2) hardy-proposed; urgency=low

  * SubDomain.pm: Ignore "force-complain/" to prevent aa-genprof from failing.
    (LP: #331534)

 -- John Dong <email address hidden> Tue, 28 Apr 2009 15:26:48 -0400

Changed in apparmor (Ubuntu Hardy):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.3+1289-0ubuntu4.2

---------------
apparmor (2.3+1289-0ubuntu4.2) intrepid-proposed; urgency=low

  * utils/SubDomain.pm: re-add dropped patch to not process disable/ as
    include files, and also don't process force-complain/ (LP: #331534)

 -- Jamie Strandboge <email address hidden> Mon, 04 May 2009 08:32:55 -0500

Changed in apparmor (Ubuntu Intrepid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers