2.8beta1 bugs with minimization enabled

Bug #940362 reported by Jamie Strandboge on 2012-02-24
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Medium
John Johansen
Precise
Medium
John Johansen

Bug Description

With minimization enabled, test-apparmor.py fails in various places. One failure is the following, which causes a kernel NULL pointer dereference:
$ sudo /sbin/apparmor_parser --write-cache --replace -T /etc/apparmor.d/usr.bin.evince

This is worked around with the following:
$ sudo /sbin/apparmor_parser --write-cache --replace -T -O no-minimize /etc/apparmor.d/usr.bin.evince

Additionally, with minimization in effect, the python environment filtering tests fail, but with no denials in the log. Eg:
======================================================================
FAIL: test_envfilter_python (__main__.ApparmorEnvFilter)
Test python environment filtering (PYTHONPATH)
----------------------------------------------------------------------
...
IOError: invalid Python installation: unable to open /usr/include/python2.7/pyconfig.h (Permission denied)

In addition to the above, some pam_apparmor tests also fail:
======================================================================
FAIL: test_pam_default_user_group (__main__.ApparmorPAM)
Test pam (order=default,user,group)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "./test-apparmor.py", line 1766, in test_pam_default_user_group
    self.assertEquals(expected, rc, result + report)
AssertionError: Got exit code 0, expected 1
you read me

======================================================================
FAIL: test_pam_group_default_user (__main__.ApparmorPAM)
Test pam (order=group,default,user)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "./test-apparmor.py", line 1867, in test_pam_group_default_user
    self.assertEquals(expected, rc, result + report)
AssertionError: Got exit code 0, expected 1
you read me

======================================================================
FAIL: test_pam_group_user_default (__main__.ApparmorPAM)
Test pam (order=group,user,default)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "./test-apparmor.py", line 1723, in test_pam_group_user_default
    self.assertEquals(expected, rc, result + report)
AssertionError: Got exit code 0, expected 1
you read me

======================================================================
FAIL: test_pam_user_default_group (__main__.ApparmorPAM)
Test pam (order=user,default,group)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "./test-apparmor.py", line 1784, in test_pam_user_default_group
    self.assertEquals(expected, rc, result + report)
AssertionError: Got exit code 0, expected 1
you read me

======================================================================
FAIL: test_pam_user_group_default (__main__.ApparmorPAM)
Test pam (order=user,group,default)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "./test-apparmor.py", line 1671, in test_pam_user_group_default
    self.assertEquals(expected, rc, result + report)
AssertionError: Got exit code 0, expected 1
you read me

Disabling minimization allows these to complete.

Related branches

Changed in apparmor (Ubuntu):
assignee: nobody → John Johansen (jjohansen)
importance: Undecided → Medium
milestone: none → ubuntu-12.04
status: New → Confirmed
summary: - 2.8beta1 doesn't always work with minimization enabled
+ 2.8beta1 bugs with minimization enabled
description: updated
tags: added: regression-release rls-p-tracking
Jamie Strandboge (jdstrand) wrote :

As mentioned, disabling minimization fixes the issue and all upstream and QRT tests pass. This is a viable workaround for beta1 and the development release as this only:
 * slows down policy generation when the binary cache is out of date
 * uses slightly more in-kernel memory after policy load

In other words, this does not adversely affect the system or boot performance under normal circumstances.

Jamie Strandboge (jdstrand) wrote :

Patches undergoing upstream review. Should have upload to fix this in a few days.

Changed in apparmor (Ubuntu Precise):
status: Confirmed → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.7.100-0ubuntu1

---------------
apparmor (2.7.100-0ubuntu1) precise; urgency=low

  * New upstream bug fix release which fixes (in addition to other bugs):
    - LP: #940362
    - LP: #947617
    - LP: #949891
  * Drop the following patches, included upstream:
    - 0004-lp918879.patch
    - 0007-lp941506.patch
    - 0008-lp941503.patch
    - 0009-lp943161.patch
  * Drop the following patch, no longer required:
    - 0005-disable-minimization.patch
  * Rename 0006-lp941808.patch 0004-lp941808.patch
  * debian/patches/0001-add-chromium-browser.patch: update for additional
    denials with newer chromium-browser. (LP: #937723)
  * debian/put-all-profiles-in-complain-mode.sh: deal with existing flags
 -- Jamie Strandboge <email address hidden> Fri, 09 Mar 2012 06:56:48 -0600

Changed in apparmor (Ubuntu Precise):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers