Ubuntu
apparmor package

[Karmic] After restarting AppArmor, aa-logprof doesn't seem to load the existing profiles.

Bug #446449 reported by Rookcifer
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Medium
Marc Deslauriers
Karmic
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: apparmor

When I attempt to create a new profile with the "aa-genprof" command, I find that none of the changes I make through the interactive apparmor log parser stick (I am using the auditd, by the way). If I try to generate a profile for my IRC client, for example, I find that whenever I perform "aa-logprof" that I get asked the same questions over and over again. They do not stick, even after restarting apparmor or even after rebooting. And I get the following error when I try to restart apparmor whenever one of my generated profiles exists in /etc/apparmor.d/:

sudo /etc/init.d/apparmor restart
 * Reloading AppArmor profiles
Found reference to variable HOME, but is never declared
Found reference to variable HOME, but is never declared

The above error implies that the #include <tunables/global> line was not included in the profile. If I add that line, it fixes the problem temporarily, but after I run aa-logprof again, I encounter the same audit logs again and again. Further, when I restart apparmor, I find that the #include <tunables/global> line has disappeared from my profile.

Also, when I try to put all profiles into enforce mode, I get a bit more detailed of an error:

sudo aa-enforce /etc/apparmor.d/*
Setting /etc/apparmor.d/usr.bin.kopete to enforce mode.
/sbin/apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
Found reference to variable HOME, but is never declared

So, basically, AppArmor profile generation in Karmic is broken.

Here is my uname -a:

Linux 2.6.31-12-generic #41-Ubuntu SMP Wed Oct 7 19:37:12 UTC 2009 x86_64 GNU/Linux

Rookcifer (rookcifer)
tags: added: apparmor
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I can reproduce the problem on Karmic. Once you've generated a profile with aa-genprof, aa-logprof will parse the log files properly.

If you restart apparmor "/etc/init.d/apparmor restart", aa-logprof will ask for confirmation on every log entry it finds and will break the profile.

I'll investigate this.

Changed in apparmor (Ubuntu):
status: New → Confirmed
assignee: nobody → Marc Deslauriers (mdeslaur)
summary: - [Karmic] Apparmor does not allow the generation of new profiles
+ [Karmic] After restarting AppArmor, aa-logprof doesn't seem to load the
+ existing profiles.
Changed in apparmor (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I've put an updated apparmor package to fix this issue in my PPA:

https://launchpad.net/~mdeslaur/+archive/ppa

Could you please try it and see if it fixes the issue for you?

Thanks.

Revision history for this message
Rookcifer (rookcifer) wrote : Re: [Bug 446449] Re: [Karmic] After restarting AppArmor, aa-logprof doesn't seem to load the existing profiles.

Thank you, Marc. Your patch seems to have fixed the issue (at least as
far as I can tell with my limited testing). I will let you know if any issues
arise. But so far, so good. ;)

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

SRU Nomination:

Impact: AppArmor user-space tool to generate new profiles does not work as expected. The "aa-logprof" tool doesn't read in existing profiles, will ask confirmation for every log entry it finds, and will generate a broken profile.

Bug: SubDomain.pm would skip reading in profiles that were located in the cache directory, instead of skipping _files_ that were in the cache directory. Fixing this bug uncovered two parsing bugs with new profiles that were introduced in the Karmic timeline: PUxr modes and include directories.

Patch: http://bazaar.launchpad.net/~ubuntu-core-dev/apparmor/ubuntu-karmic/revision/1057

Reproduce instructions:

1- Generate a new profile with aa-genprof. Answer all questions, and save profile
2- Restart AppArmor
3- Run aa-logprof.
4- Expected behaviour: aa-logprof should reparse log entries and everything should already be in the saved profile.
5- Buggy behaviour: aa-logprof will ask the user to confirm modifications to the profile.

Regression potential: This patch only modifies the tools to generate new profiles. Regular users will not be affected by this change. For users who are trying to generate an AppArmor profile, the tools are currently broken as it is.

Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Accepted apparmor into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in apparmor (Ubuntu Karmic):
status: New → Fix Committed
tags: added: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.3.1+1403-0ubuntu28

---------------
apparmor (2.3.1+1403-0ubuntu28) lucid; urgency=low

  [ Jamie Strandboge ]
  * update skype profile in extras. Based on work by Андрей Калинин.
    (LP: #226624)
  * abstractions/ubuntu-browsers: add opera and icecat (LP: #432778)
  * abstractions/ubuntu-browsers: add epiphany (epiphany-browser and
    epiphany-webkit were already present, but the recent changes in
    epiphany packaging require /usr/bin/epiphany) (LP: #472952)
  * usr.sbin.dnsmasq: allow pidfiles for /var/run/dnsmasq*.pid (LP: #445818)
  * abstractions/gnome: allow access to ~/.themes (LP: #460125)
  * abstractions/kde: allow access to /etc/kde4rc and /usr/bin/kde4-config
    (LP: #447006)

  [ Marc Deslauriers ]
  * utils/Subdomain.pm: don't skip reading profiles that are also in the
    cache directory (LP: #446449)
  * utils/Subdomain.pm: correctly parse PUxr modes
  * utils/Subdomain.pm: support include directories

 -- Jamie Strandboge <email address hidden> Wed, 04 Nov 2009 11:02:27 -0600

Changed in apparmor (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.3.1+1403-0ubuntu27.1

---------------
apparmor (2.3.1+1403-0ubuntu27.1) karmic-proposed; urgency=low

  [ Jamie Strandboge ]
  * abstractions/ubuntu-browsers: add opera and icecat (LP: #432778)
  * abstractions/ubuntu-browsers: add epiphany (epiphany-browser and
    epiphany-webkit were already present, but the recent changes in
    epiphany packaging require /usr/bin/epiphany) (LP: #472952)
  * usr.sbin.dnsmasq: allow pidfiles for /var/run/dnsmasq*.pid (LP: #445818)
  * abstractions/gnome: allow access to ~/.themes (LP: #460125)
  * abstractions/kde: allow access to /etc/kde4rc and /usr/bin/kde4-config
    (LP: #447006)

  [ Marc Deslauriers ]
  * utils/Subdomain.pm: don't skip reading profiles that are also in the
    cache directory (LP: #446449)
  * utils/Subdomain.pm: correctly parse PUxr modes
  * utils/Subdomain.pm: support include directories

 -- Jamie Strandboge <email address hidden> Tue, 03 Nov 2009 14:30:19 -0600

Changed in apparmor (Ubuntu Karmic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.