Ubuntu
apparmor package

  1. Xenial (16.04)
  2. Bug #1733700
  3. Activity log

Activity log for bug #1733700

Date Who What changed Old value New value Message
2017-11-21 21:31:24 Felix Eckhofer bug added bug
2017-11-21 22:28:14 Jamie Strandboge snapd (Ubuntu): status New Triaged
2017-11-21 22:28:14 Jamie Strandboge snapd (Ubuntu): assignee Zygmunt Krynicki (zyga)
2017-11-30 15:45:25 Oliver Sauder bug added subscriber Oliver Sauder
2017-11-30 17:24:06 Jamie Strandboge affects snapd (Ubuntu) apparmor (Ubuntu)
2017-11-30 17:24:06 Jamie Strandboge apparmor (Ubuntu): assignee Zygmunt Krynicki (zyga) Jamie Strandboge (jdstrand)
2017-11-30 17:57:34 Jamie Strandboge summary aa-enforce fails due to syntax error in snapd.snap-confine profile apparmor python tools do not understand 'include' rules
2017-11-30 17:57:34 Jamie Strandboge description On Ubuntu artful, I'm seeing the following behavior: $ aa-enforce usr.bin.chromium-browser ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15: include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r, I have never touched snap.core.3440.usr.lib.snapd.snap-confine. This is snapd 2.28.5+17.10. The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details). Reproducer: $ mkdir /tmp/test $ cat /etc/apparmor.d/lp1733700 profile lp1733700 { include "/tmp/test" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700 Changing the 'include' to '#include' results in: $ sudo aa-enforce /etc/apparmor.d/lp1733700 Setting /etc/apparmor.d/lp1733700 to enforce mode. At least aa-logprof is also affected. = Original report = On Ubuntu artful, I'm seeing the following behavior: $ aa-enforce usr.bin.chromium-browser ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15: include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r, I have never touched snap.core.3440.usr.lib.snapd.snap-confine. This is snapd 2.28.5+17.10.
2017-11-30 17:57:45 Jamie Strandboge bug task added apparmor
2017-11-30 17:57:55 Jamie Strandboge apparmor (Ubuntu): assignee Jamie Strandboge (jdstrand)
2017-11-30 17:58:06 Jamie Strandboge apparmor: status New Triaged
2017-11-30 17:59:17 Jamie Strandboge nominated for series Ubuntu Bionic
2017-11-30 17:59:17 Jamie Strandboge bug task added apparmor (Ubuntu Bionic)
2017-11-30 17:59:17 Jamie Strandboge nominated for series Ubuntu Trusty
2017-11-30 17:59:17 Jamie Strandboge bug task added apparmor (Ubuntu Trusty)
2017-11-30 17:59:17 Jamie Strandboge nominated for series Ubuntu Artful
2017-11-30 17:59:17 Jamie Strandboge bug task added apparmor (Ubuntu Artful)
2017-11-30 17:59:17 Jamie Strandboge nominated for series Ubuntu Xenial
2017-11-30 17:59:17 Jamie Strandboge bug task added apparmor (Ubuntu Xenial)
2017-11-30 17:59:17 Jamie Strandboge nominated for series Ubuntu Zesty
2017-11-30 17:59:17 Jamie Strandboge bug task added apparmor (Ubuntu Zesty)
2017-11-30 17:59:38 Jamie Strandboge apparmor (Ubuntu Bionic): status Triaged New
2017-11-30 18:11:11 Tyler Hicks bug added subscriber Tyler Hicks
2017-12-18 19:29:29 Jamie Strandboge apparmor: assignee Jamie Strandboge (jdstrand)
2017-12-18 19:29:33 Jamie Strandboge apparmor: status Triaged In Progress
2017-12-18 22:09:54 Jamie Strandboge summary apparmor python tools do not understand 'include' rules python tools do not understand 'non-magic' include rules
2017-12-18 22:10:02 Jamie Strandboge apparmor (Ubuntu Trusty): status New Triaged
2017-12-18 22:10:05 Jamie Strandboge apparmor (Ubuntu Xenial): status New Triaged
2017-12-18 22:10:07 Jamie Strandboge apparmor (Ubuntu Zesty): status New Triaged
2017-12-18 22:10:09 Jamie Strandboge apparmor (Ubuntu Artful): status New Triaged
2017-12-18 22:10:11 Jamie Strandboge apparmor (Ubuntu Bionic): status New Triaged
2017-12-18 22:23:54 Jamie Strandboge description The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details). Reproducer: $ mkdir /tmp/test $ cat /etc/apparmor.d/lp1733700 profile lp1733700 { include "/tmp/test" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700 Changing the 'include' to '#include' results in: $ sudo aa-enforce /etc/apparmor.d/lp1733700 Setting /etc/apparmor.d/lp1733700 to enforce mode. At least aa-logprof is also affected. = Original report = On Ubuntu artful, I'm seeing the following behavior: $ aa-enforce usr.bin.chromium-browser ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15: include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r, I have never touched snap.core.3440.usr.lib.snapd.snap-confine. This is snapd 2.28.5+17.10. The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations. Reproducer: $ mkdir /tmp/test1 /tmp/test2 $ cat /etc/apparmor.d/lp1733700 profile lp1733700 { #include "/tmp/test1" include "/tmp/test2" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700Note that the pr Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring. = Original description = The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details). Reproducer: $ mkdir /tmp/test $ cat /etc/apparmor.d/lp1733700 profile lp1733700 {   include "/tmp/test" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700 Changing the 'include' to '#include' results in: $ sudo aa-enforce /etc/apparmor.d/lp1733700 Setting /etc/apparmor.d/lp1733700 to enforce mode. At least aa-logprof is also affected. = Original report = On Ubuntu artful, I'm seeing the following behavior:     $ aa-enforce usr.bin.chromium-browser     ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:         include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r, I have never touched snap.core.3440.usr.lib.snapd.snap-confine. This is snapd 2.28.5+17.10.
2017-12-18 22:24:21 Jamie Strandboge description The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations. Reproducer: $ mkdir /tmp/test1 /tmp/test2 $ cat /etc/apparmor.d/lp1733700 profile lp1733700 { #include "/tmp/test1" include "/tmp/test2" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700Note that the pr Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring. = Original description = The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details). Reproducer: $ mkdir /tmp/test $ cat /etc/apparmor.d/lp1733700 profile lp1733700 {   include "/tmp/test" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700 Changing the 'include' to '#include' results in: $ sudo aa-enforce /etc/apparmor.d/lp1733700 Setting /etc/apparmor.d/lp1733700 to enforce mode. At least aa-logprof is also affected. = Original report = On Ubuntu artful, I'm seeing the following behavior:     $ aa-enforce usr.bin.chromium-browser     ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:         include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r, I have never touched snap.core.3440.usr.lib.snapd.snap-confine. This is snapd 2.28.5+17.10. The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations. Reproducer: $ mkdir /tmp/test1 /tmp/test2 $ cat /etc/apparmor.d/lp1733700 profile lp1733700 {   #include "/tmp/test1"   include "/tmp/test2" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700. Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring. = Original description = The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details). Reproducer: $ mkdir /tmp/test $ cat /etc/apparmor.d/lp1733700 profile lp1733700 {   include "/tmp/test" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700 Changing the 'include' to '#include' results in: $ sudo aa-enforce /etc/apparmor.d/lp1733700 Setting /etc/apparmor.d/lp1733700 to enforce mode. At least aa-logprof is also affected. = Original report = On Ubuntu artful, I'm seeing the following behavior:     $ aa-enforce usr.bin.chromium-browser     ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:         include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r, I have never touched snap.core.3440.usr.lib.snapd.snap-confine. This is snapd 2.28.5+17.10.
2017-12-20 23:30:10 Jamie Strandboge description The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations. Reproducer: $ mkdir /tmp/test1 /tmp/test2 $ cat /etc/apparmor.d/lp1733700 profile lp1733700 {   #include "/tmp/test1"   include "/tmp/test2" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700. Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring. = Original description = The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details). Reproducer: $ mkdir /tmp/test $ cat /etc/apparmor.d/lp1733700 profile lp1733700 {   include "/tmp/test" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700 Changing the 'include' to '#include' results in: $ sudo aa-enforce /etc/apparmor.d/lp1733700 Setting /etc/apparmor.d/lp1733700 to enforce mode. At least aa-logprof is also affected. = Original report = On Ubuntu artful, I'm seeing the following behavior:     $ aa-enforce usr.bin.chromium-browser     ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:         include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r, I have never touched snap.core.3440.usr.lib.snapd.snap-confine. This is snapd 2.28.5+17.10. The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations. = test case #1 (aa-enforce) = $ mkdir /tmp/test1 /tmp/test2 $ cat /etc/apparmor.d/lp1733700 profile lp1733700 { #include "/tmp/test1" include "/tmp/test2" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails = test case #2 (aa-genprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. $ cat /tmp/lp1733700 #!/bin/sh set -e sh -c "$@" # run without confinement: $ /tmp/lp1733700 'cat /etc/fstab' | head -1 # /etc/fstab: static file system information. # invoke genprof $ sudo aa-genprof /tmp/lp1733700 ... [(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails ... don't exercise the application any so we just have the default profile ... [(S)can system log for AppArmor events] / (F)inish - PRESS 'f' ... Finished generating profile for /tmp/lp1733700. $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 15:53:07 2017 #include <tunables/global> /tmp/lp1733700 { #include <abstractions/base> #include <abstractions/bash> /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, } = test case #3 (aa-logprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. This also assumes test case #2 was already performed and /etc/apparmor.d/tmp.lp1733700 exists. Disable kernel rate limiting: $ sudo sysctl -w kernel.printk_ratelimit=0 Create mark entry in syslog: $ logger mark-lp1733700 Try running logprof with no new denials: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. $ Adjust /etc/apparmor.d/tmp.lp1733700 to add: #include "/tmp/test1" include "/tmp/test2" Load it into the kernel: $ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700 Create a new denial: $ /tmp/lp1733700 'uptime' sh: 1: uptime: Permission denied $ Try running logprof: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. Profile: /tmp/lp1733700 Execute: /usr/bin/uptime Severity: unknown (I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish ... The following local profiles were changed. Would you like to save them? <PRESS 'i'> [1 - /tmp/lp1733700] (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t <PRESS 's'> Writing updated profile for /tmp/lp1733700. $ Verify the profile for 'uptime' addition and that the /tmp/test1 and /tmp/test2 includes were not removed (it is ok that they are both '#include'): $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 16:19:19 2017 #include <tunables/global> /tmp/lp1733700 { #include "/tmp/test1" #include "/tmp/test2" #include <abstractions/base> #include <abstractions/bash> /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } = test case #4 (aa-mergeprof) = $ mkdir -p /tmp/aa-mergeprof/new $ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions $ touch /tmp/aa-mergeprof/new/tunables/global /tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash $ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old $ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat #include <tunables/global> /tmp/lp1733700 { #include <abstractions/base> #include <abstractions/bash> #include "/tmp/test1" /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } $ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime #include <tunables/global> /tmp/lp1733700 { #include <abstractions/base> #include <abstractions/bash> #include "/tmp/test2" /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /bin/cat ixr, } $ sudo aa-mergeprof -d /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old/tmp.lp1733700 ... [1 - #include "/tmp/test1"] [(A)llow] / (I)gnore / Abo(r)t / (F)inish <PRESS 'a'> ... [1 - /usr/bin/uptime mrix,] (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / Abo(r)t / (F)inish <PRESS 'a'> ... The following local profiles were changed. Would you like to save them? [1 - /tmp/lp1733700] (S)ave Changes / [(V)iew Changes] / Abo(r)t / (I)gnore - PRESS 's' Writing updated profile for /tmp/lp1733700. $ Verify /tmp/aa-mergeprof/new/tmp.lp1733700 has test1, test2, cat and uptime (old mergeprof would discard includes with absolute paths): $ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # Last Modified: Wed Dec 20 17:16:34 2017 #include <tunables/global> /tmp/lp1733700 { #include "/tmp/test1" #include "/tmp/test2" #include <abstractions/base> #include <abstractions/bash> /bin/cat rix, /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring. = Original description = The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details). Reproducer: $ mkdir /tmp/test $ cat /etc/apparmor.d/lp1733700 profile lp1733700 {   include "/tmp/test" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700 Changing the 'include' to '#include' results in: $ sudo aa-enforce /etc/apparmor.d/lp1733700 Setting /etc/apparmor.d/lp1733700 to enforce mode. At least aa-logprof is also affected. = Original report = On Ubuntu artful, I'm seeing the following behavior:     $ aa-enforce usr.bin.chromium-browser     ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:         include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r, I have never touched snap.core.3440.usr.lib.snapd.snap-confine. This is snapd 2.28.5+17.10.
2018-01-04 19:40:40 Jamie Strandboge apparmor: status In Progress Fix Released
2018-01-04 19:41:01 Jamie Strandboge apparmor (Ubuntu Bionic): status Triaged In Progress
2018-01-04 19:41:01 Jamie Strandboge apparmor (Ubuntu Bionic): assignee Jamie Strandboge (jdstrand)
2018-01-04 22:36:23 Jamie Strandboge apparmor (Ubuntu Trusty): assignee Jamie Strandboge (jdstrand)
2018-01-04 22:36:32 Jamie Strandboge apparmor (Ubuntu Xenial): assignee Jamie Strandboge (jdstrand)
2018-01-04 22:36:41 Jamie Strandboge apparmor (Ubuntu Zesty): assignee Jamie Strandboge (jdstrand)
2018-01-04 22:36:49 Jamie Strandboge apparmor (Ubuntu Artful): assignee Jamie Strandboge (jdstrand)
2018-01-04 22:47:09 Jamie Strandboge description The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations. = test case #1 (aa-enforce) = $ mkdir /tmp/test1 /tmp/test2 $ cat /etc/apparmor.d/lp1733700 profile lp1733700 { #include "/tmp/test1" include "/tmp/test2" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails = test case #2 (aa-genprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. $ cat /tmp/lp1733700 #!/bin/sh set -e sh -c "$@" # run without confinement: $ /tmp/lp1733700 'cat /etc/fstab' | head -1 # /etc/fstab: static file system information. # invoke genprof $ sudo aa-genprof /tmp/lp1733700 ... [(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails ... don't exercise the application any so we just have the default profile ... [(S)can system log for AppArmor events] / (F)inish - PRESS 'f' ... Finished generating profile for /tmp/lp1733700. $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 15:53:07 2017 #include <tunables/global> /tmp/lp1733700 { #include <abstractions/base> #include <abstractions/bash> /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, } = test case #3 (aa-logprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. This also assumes test case #2 was already performed and /etc/apparmor.d/tmp.lp1733700 exists. Disable kernel rate limiting: $ sudo sysctl -w kernel.printk_ratelimit=0 Create mark entry in syslog: $ logger mark-lp1733700 Try running logprof with no new denials: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. $ Adjust /etc/apparmor.d/tmp.lp1733700 to add: #include "/tmp/test1" include "/tmp/test2" Load it into the kernel: $ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700 Create a new denial: $ /tmp/lp1733700 'uptime' sh: 1: uptime: Permission denied $ Try running logprof: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. Profile: /tmp/lp1733700 Execute: /usr/bin/uptime Severity: unknown (I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish ... The following local profiles were changed. Would you like to save them? <PRESS 'i'> [1 - /tmp/lp1733700] (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t <PRESS 's'> Writing updated profile for /tmp/lp1733700. $ Verify the profile for 'uptime' addition and that the /tmp/test1 and /tmp/test2 includes were not removed (it is ok that they are both '#include'): $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 16:19:19 2017 #include <tunables/global> /tmp/lp1733700 { #include "/tmp/test1" #include "/tmp/test2" #include <abstractions/base> #include <abstractions/bash> /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } = test case #4 (aa-mergeprof) = $ mkdir -p /tmp/aa-mergeprof/new $ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions $ touch /tmp/aa-mergeprof/new/tunables/global /tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash $ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old $ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat #include <tunables/global> /tmp/lp1733700 { #include <abstractions/base> #include <abstractions/bash> #include "/tmp/test1" /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } $ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime #include <tunables/global> /tmp/lp1733700 { #include <abstractions/base> #include <abstractions/bash> #include "/tmp/test2" /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /bin/cat ixr, } $ sudo aa-mergeprof -d /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old/tmp.lp1733700 ... [1 - #include "/tmp/test1"] [(A)llow] / (I)gnore / Abo(r)t / (F)inish <PRESS 'a'> ... [1 - /usr/bin/uptime mrix,] (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / Abo(r)t / (F)inish <PRESS 'a'> ... The following local profiles were changed. Would you like to save them? [1 - /tmp/lp1733700] (S)ave Changes / [(V)iew Changes] / Abo(r)t / (I)gnore - PRESS 's' Writing updated profile for /tmp/lp1733700. $ Verify /tmp/aa-mergeprof/new/tmp.lp1733700 has test1, test2, cat and uptime (old mergeprof would discard includes with absolute paths): $ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # Last Modified: Wed Dec 20 17:16:34 2017 #include <tunables/global> /tmp/lp1733700 { #include "/tmp/test1" #include "/tmp/test2" #include <abstractions/base> #include <abstractions/bash> /bin/cat rix, /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring. = Original description = The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details). Reproducer: $ mkdir /tmp/test $ cat /etc/apparmor.d/lp1733700 profile lp1733700 {   include "/tmp/test" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700 Changing the 'include' to '#include' results in: $ sudo aa-enforce /etc/apparmor.d/lp1733700 Setting /etc/apparmor.d/lp1733700 to enforce mode. At least aa-logprof is also affected. = Original report = On Ubuntu artful, I'm seeing the following behavior:     $ aa-enforce usr.bin.chromium-browser     ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:         include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r, I have never touched snap.core.3440.usr.lib.snapd.snap-confine. This is snapd 2.28.5+17.10. The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations. = test case #0 (testsuite) = $ sudo apt-get install apparmor apparmor-utils # not required with 2.12 $ sudo apt-get build-dep apparmor $ sudo apt-get install quilt pyflakes pyflakes3 $ apt-get source apparmor $ cd apparmor-* $ quilt push -a $ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python) $ export PYTHON=/usr/bin/python3 $ export PYTHON_VERSION=3 $ export PYTHON_VERSIONS=python3 $ cd libraries/libapparmor $ sh ./autogen.sh $ sh ./configure --prefix=/usr --with-perl --with-python $ make $ cd ../../binutils $ make $ ../parser $ make $ cd ../utils $ make $ make check = test case #1 (aa-enforce) = $ mkdir /tmp/test1 /tmp/test2 $ cat /etc/apparmor.d/lp1733700 profile lp1733700 { #include "/tmp/test1" include "/tmp/test2" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails = test case #2 (aa-genprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. $ cat /tmp/lp1733700 #!/bin/sh set -e sh -c "$@" # run without confinement: $ /tmp/lp1733700 'cat /etc/fstab' | head -1 # /etc/fstab: static file system information. # invoke genprof $ sudo aa-genprof /tmp/lp1733700 ... [(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails ... don't exercise the application any so we just have the default profile ... [(S)can system log for AppArmor events] / (F)inish - PRESS 'f' ... Finished generating profile for /tmp/lp1733700. $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 15:53:07 2017 #include <tunables/global> /tmp/lp1733700 { #include <abstractions/base> #include <abstractions/bash> /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, } = test case #3 (aa-logprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. This also assumes test case #2 was already performed and /etc/apparmor.d/tmp.lp1733700 exists. Disable kernel rate limiting: $ sudo sysctl -w kernel.printk_ratelimit=0 Create mark entry in syslog: $ logger mark-lp1733700 Try running logprof with no new denials: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. $ Adjust /etc/apparmor.d/tmp.lp1733700 to add: #include "/tmp/test1" include "/tmp/test2" Load it into the kernel: $ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700 Create a new denial: $ /tmp/lp1733700 'uptime' sh: 1: uptime: Permission denied $ Try running logprof: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. Profile: /tmp/lp1733700 Execute: /usr/bin/uptime Severity: unknown (I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish ... The following local profiles were changed. Would you like to save them? <PRESS 'i'> [1 - /tmp/lp1733700] (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t <PRESS 's'> Writing updated profile for /tmp/lp1733700. $ Verify the profile for 'uptime' addition and that the /tmp/test1 and /tmp/test2 includes were not removed (it is ok that they are both '#include'): $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 16:19:19 2017 #include <tunables/global> /tmp/lp1733700 { #include "/tmp/test1" #include "/tmp/test2" #include <abstractions/base> #include <abstractions/bash> /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } = test case #4 (aa-mergeprof) = $ mkdir -p /tmp/aa-mergeprof/new $ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions $ touch /tmp/aa-mergeprof/new/tunables/global /tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash $ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old $ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat #include <tunables/global> /tmp/lp1733700 { #include <abstractions/base> #include <abstractions/bash> #include "/tmp/test1" /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } $ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime #include <tunables/global> /tmp/lp1733700 { #include <abstractions/base> #include <abstractions/bash> #include "/tmp/test2" /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /bin/cat ixr, } $ sudo aa-mergeprof -d /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old/tmp.lp1733700 ... [1 - #include "/tmp/test1"] [(A)llow] / (I)gnore / Abo(r)t / (F)inish <PRESS 'a'> ... [1 - /usr/bin/uptime mrix,] (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / Abo(r)t / (F)inish <PRESS 'a'> ... The following local profiles were changed. Would you like to save them? [1 - /tmp/lp1733700] (S)ave Changes / [(V)iew Changes] / Abo(r)t / (I)gnore - PRESS 's' Writing updated profile for /tmp/lp1733700. $ Verify /tmp/aa-mergeprof/new/tmp.lp1733700 has test1, test2, cat and uptime (old mergeprof would discard includes with absolute paths): $ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # Last Modified: Wed Dec 20 17:16:34 2017 #include <tunables/global> /tmp/lp1733700 { #include "/tmp/test1" #include "/tmp/test2" #include <abstractions/base> #include <abstractions/bash> /bin/cat rix, /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring. = Original description = The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details). Reproducer: $ mkdir /tmp/test $ cat /etc/apparmor.d/lp1733700 profile lp1733700 {   include "/tmp/test" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700 Changing the 'include' to '#include' results in: $ sudo aa-enforce /etc/apparmor.d/lp1733700 Setting /etc/apparmor.d/lp1733700 to enforce mode. At least aa-logprof is also affected. = Original report = On Ubuntu artful, I'm seeing the following behavior:     $ aa-enforce usr.bin.chromium-browser     ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:         include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r, I have never touched snap.core.3440.usr.lib.snapd.snap-confine. This is snapd 2.28.5+17.10.
2018-01-04 22:49:16 Jamie Strandboge description The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations. = test case #0 (testsuite) = $ sudo apt-get install apparmor apparmor-utils # not required with 2.12 $ sudo apt-get build-dep apparmor $ sudo apt-get install quilt pyflakes pyflakes3 $ apt-get source apparmor $ cd apparmor-* $ quilt push -a $ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python) $ export PYTHON=/usr/bin/python3 $ export PYTHON_VERSION=3 $ export PYTHON_VERSIONS=python3 $ cd libraries/libapparmor $ sh ./autogen.sh $ sh ./configure --prefix=/usr --with-perl --with-python $ make $ cd ../../binutils $ make $ ../parser $ make $ cd ../utils $ make $ make check = test case #1 (aa-enforce) = $ mkdir /tmp/test1 /tmp/test2 $ cat /etc/apparmor.d/lp1733700 profile lp1733700 { #include "/tmp/test1" include "/tmp/test2" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails = test case #2 (aa-genprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. $ cat /tmp/lp1733700 #!/bin/sh set -e sh -c "$@" # run without confinement: $ /tmp/lp1733700 'cat /etc/fstab' | head -1 # /etc/fstab: static file system information. # invoke genprof $ sudo aa-genprof /tmp/lp1733700 ... [(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails ... don't exercise the application any so we just have the default profile ... [(S)can system log for AppArmor events] / (F)inish - PRESS 'f' ... Finished generating profile for /tmp/lp1733700. $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 15:53:07 2017 #include <tunables/global> /tmp/lp1733700 { #include <abstractions/base> #include <abstractions/bash> /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, } = test case #3 (aa-logprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. This also assumes test case #2 was already performed and /etc/apparmor.d/tmp.lp1733700 exists. Disable kernel rate limiting: $ sudo sysctl -w kernel.printk_ratelimit=0 Create mark entry in syslog: $ logger mark-lp1733700 Try running logprof with no new denials: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. $ Adjust /etc/apparmor.d/tmp.lp1733700 to add: #include "/tmp/test1" include "/tmp/test2" Load it into the kernel: $ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700 Create a new denial: $ /tmp/lp1733700 'uptime' sh: 1: uptime: Permission denied $ Try running logprof: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. Profile: /tmp/lp1733700 Execute: /usr/bin/uptime Severity: unknown (I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish ... The following local profiles were changed. Would you like to save them? <PRESS 'i'> [1 - /tmp/lp1733700] (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t <PRESS 's'> Writing updated profile for /tmp/lp1733700. $ Verify the profile for 'uptime' addition and that the /tmp/test1 and /tmp/test2 includes were not removed (it is ok that they are both '#include'): $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 16:19:19 2017 #include <tunables/global> /tmp/lp1733700 { #include "/tmp/test1" #include "/tmp/test2" #include <abstractions/base> #include <abstractions/bash> /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } = test case #4 (aa-mergeprof) = $ mkdir -p /tmp/aa-mergeprof/new $ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions $ touch /tmp/aa-mergeprof/new/tunables/global /tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash $ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old $ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat #include <tunables/global> /tmp/lp1733700 { #include <abstractions/base> #include <abstractions/bash> #include "/tmp/test1" /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } $ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime #include <tunables/global> /tmp/lp1733700 { #include <abstractions/base> #include <abstractions/bash> #include "/tmp/test2" /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /bin/cat ixr, } $ sudo aa-mergeprof -d /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old/tmp.lp1733700 ... [1 - #include "/tmp/test1"] [(A)llow] / (I)gnore / Abo(r)t / (F)inish <PRESS 'a'> ... [1 - /usr/bin/uptime mrix,] (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / Abo(r)t / (F)inish <PRESS 'a'> ... The following local profiles were changed. Would you like to save them? [1 - /tmp/lp1733700] (S)ave Changes / [(V)iew Changes] / Abo(r)t / (I)gnore - PRESS 's' Writing updated profile for /tmp/lp1733700. $ Verify /tmp/aa-mergeprof/new/tmp.lp1733700 has test1, test2, cat and uptime (old mergeprof would discard includes with absolute paths): $ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # Last Modified: Wed Dec 20 17:16:34 2017 #include <tunables/global> /tmp/lp1733700 { #include "/tmp/test1" #include "/tmp/test2" #include <abstractions/base> #include <abstractions/bash> /bin/cat rix, /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring. = Original description = The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details). Reproducer: $ mkdir /tmp/test $ cat /etc/apparmor.d/lp1733700 profile lp1733700 {   include "/tmp/test" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700 Changing the 'include' to '#include' results in: $ sudo aa-enforce /etc/apparmor.d/lp1733700 Setting /etc/apparmor.d/lp1733700 to enforce mode. At least aa-logprof is also affected. = Original report = On Ubuntu artful, I'm seeing the following behavior:     $ aa-enforce usr.bin.chromium-browser     ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:         include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r, I have never touched snap.core.3440.usr.lib.snapd.snap-confine. This is snapd 2.28.5+17.10. The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations. = test case #0 (testsuite) = $ sudo apt-get install apparmor apparmor-utils # not required with 2.12 $ sudo apt-get build-dep apparmor $ sudo apt-get install quilt pyflakes pyflakes3 $ apt-get source apparmor $ cd apparmor-* $ quilt push -a $ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python) $ export PYTHON=/usr/bin/python3 $ export PYTHON_VERSION=3 $ export PYTHON_VERSIONS=python3 $ cd libraries/libapparmor $ sh ./autogen.sh $ sh ./configure --prefix=/usr --with-perl --with-python $ make $ cd ../../binutils $ make $ ../parser $ make $ cd ../utils $ make $ make check = test case #1 (aa-enforce) = $ mkdir /tmp/test1 /tmp/test2 $ cat /etc/apparmor.d/lp1733700 profile lp1733700 { #include "/tmp/test1" include "/tmp/test2" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails = test case #2 (aa-genprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. $ cat /tmp/lp1733700 #!/bin/sh set -e sh -c "$@" $ chmod 755 /tmp/lp1733700 # run without confinement: $ /tmp/lp1733700 'cat /etc/fstab' | head -1 # /etc/fstab: static file system information. # invoke genprof $ sudo aa-genprof /tmp/lp1733700 ... [(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails ... don't exercise the application any so we just have the default profile ... [(S)can system log for AppArmor events] / (F)inish - PRESS 'f' ... Finished generating profile for /tmp/lp1733700. $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 15:53:07 2017 #include <tunables/global> /tmp/lp1733700 { #include <abstractions/base> #include <abstractions/bash> /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, } = test case #3 (aa-logprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. This also assumes test case #2 was already performed and /etc/apparmor.d/tmp.lp1733700 exists. Disable kernel rate limiting: $ sudo sysctl -w kernel.printk_ratelimit=0 Create mark entry in syslog: $ logger mark-lp1733700 Try running logprof with no new denials: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. $ Adjust /etc/apparmor.d/tmp.lp1733700 to add: #include "/tmp/test1" include "/tmp/test2" Load it into the kernel: $ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700 Create a new denial: $ /tmp/lp1733700 'uptime' sh: 1: uptime: Permission denied $ Try running logprof: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. Profile: /tmp/lp1733700 Execute: /usr/bin/uptime Severity: unknown (I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish ... The following local profiles were changed. Would you like to save them? <PRESS 'i'> [1 - /tmp/lp1733700] (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t <PRESS 's'> Writing updated profile for /tmp/lp1733700. $ Verify the profile for 'uptime' addition and that the /tmp/test1 and /tmp/test2 includes were not removed (it is ok that they are both '#include'): $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 16:19:19 2017 #include <tunables/global> /tmp/lp1733700 { #include "/tmp/test1" #include "/tmp/test2" #include <abstractions/base> #include <abstractions/bash> /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } = test case #4 (aa-mergeprof) = $ mkdir -p /tmp/aa-mergeprof/new $ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions $ touch /tmp/aa-mergeprof/new/tunables/global /tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash $ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old $ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat #include <tunables/global> /tmp/lp1733700 { #include <abstractions/base> #include <abstractions/bash> #include "/tmp/test1" /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } $ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime #include <tunables/global> /tmp/lp1733700 { #include <abstractions/base> #include <abstractions/bash> #include "/tmp/test2" /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /bin/cat ixr, } $ sudo aa-mergeprof -d /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old/tmp.lp1733700 ... [1 - #include "/tmp/test1"] [(A)llow] / (I)gnore / Abo(r)t / (F)inish <PRESS 'a'> ... [1 - /usr/bin/uptime mrix,] (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / Abo(r)t / (F)inish <PRESS 'a'> ... The following local profiles were changed. Would you like to save them? [1 - /tmp/lp1733700] (S)ave Changes / [(V)iew Changes] / Abo(r)t / (I)gnore - PRESS 's' Writing updated profile for /tmp/lp1733700. $ Verify /tmp/aa-mergeprof/new/tmp.lp1733700 has test1, test2, cat and uptime (old mergeprof would discard includes with absolute paths): $ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # Last Modified: Wed Dec 20 17:16:34 2017 #include <tunables/global> /tmp/lp1733700 { #include "/tmp/test1" #include "/tmp/test2" #include <abstractions/base> #include <abstractions/bash> /bin/cat rix, /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring. = Original description = The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details). Reproducer: $ mkdir /tmp/test $ cat /etc/apparmor.d/lp1733700 profile lp1733700 {   include "/tmp/test" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700 Changing the 'include' to '#include' results in: $ sudo aa-enforce /etc/apparmor.d/lp1733700 Setting /etc/apparmor.d/lp1733700 to enforce mode. At least aa-logprof is also affected. = Original report = On Ubuntu artful, I'm seeing the following behavior:     $ aa-enforce usr.bin.chromium-browser     ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:         include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r, I have never touched snap.core.3440.usr.lib.snapd.snap-confine. This is snapd 2.28.5+17.10.
2018-01-05 21:36:33 Jamie Strandboge description The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations. = test case #0 (testsuite) = $ sudo apt-get install apparmor apparmor-utils # not required with 2.12 $ sudo apt-get build-dep apparmor $ sudo apt-get install quilt pyflakes pyflakes3 $ apt-get source apparmor $ cd apparmor-* $ quilt push -a $ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python) $ export PYTHON=/usr/bin/python3 $ export PYTHON_VERSION=3 $ export PYTHON_VERSIONS=python3 $ cd libraries/libapparmor $ sh ./autogen.sh $ sh ./configure --prefix=/usr --with-perl --with-python $ make $ cd ../../binutils $ make $ ../parser $ make $ cd ../utils $ make $ make check = test case #1 (aa-enforce) = $ mkdir /tmp/test1 /tmp/test2 $ cat /etc/apparmor.d/lp1733700 profile lp1733700 { #include "/tmp/test1" include "/tmp/test2" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails = test case #2 (aa-genprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. $ cat /tmp/lp1733700 #!/bin/sh set -e sh -c "$@" $ chmod 755 /tmp/lp1733700 # run without confinement: $ /tmp/lp1733700 'cat /etc/fstab' | head -1 # /etc/fstab: static file system information. # invoke genprof $ sudo aa-genprof /tmp/lp1733700 ... [(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails ... don't exercise the application any so we just have the default profile ... [(S)can system log for AppArmor events] / (F)inish - PRESS 'f' ... Finished generating profile for /tmp/lp1733700. $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 15:53:07 2017 #include <tunables/global> /tmp/lp1733700 { #include <abstractions/base> #include <abstractions/bash> /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, } = test case #3 (aa-logprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. This also assumes test case #2 was already performed and /etc/apparmor.d/tmp.lp1733700 exists. Disable kernel rate limiting: $ sudo sysctl -w kernel.printk_ratelimit=0 Create mark entry in syslog: $ logger mark-lp1733700 Try running logprof with no new denials: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. $ Adjust /etc/apparmor.d/tmp.lp1733700 to add: #include "/tmp/test1" include "/tmp/test2" Load it into the kernel: $ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700 Create a new denial: $ /tmp/lp1733700 'uptime' sh: 1: uptime: Permission denied $ Try running logprof: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. Profile: /tmp/lp1733700 Execute: /usr/bin/uptime Severity: unknown (I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish ... The following local profiles were changed. Would you like to save them? <PRESS 'i'> [1 - /tmp/lp1733700] (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t <PRESS 's'> Writing updated profile for /tmp/lp1733700. $ Verify the profile for 'uptime' addition and that the /tmp/test1 and /tmp/test2 includes were not removed (it is ok that they are both '#include'): $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 16:19:19 2017 #include <tunables/global> /tmp/lp1733700 { #include "/tmp/test1" #include "/tmp/test2" #include <abstractions/base> #include <abstractions/bash> /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } = test case #4 (aa-mergeprof) = $ mkdir -p /tmp/aa-mergeprof/new $ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions $ touch /tmp/aa-mergeprof/new/tunables/global /tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash $ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old $ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat #include <tunables/global> /tmp/lp1733700 { #include <abstractions/base> #include <abstractions/bash> #include "/tmp/test1" /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } $ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime #include <tunables/global> /tmp/lp1733700 { #include <abstractions/base> #include <abstractions/bash> #include "/tmp/test2" /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /bin/cat ixr, } $ sudo aa-mergeprof -d /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old/tmp.lp1733700 ... [1 - #include "/tmp/test1"] [(A)llow] / (I)gnore / Abo(r)t / (F)inish <PRESS 'a'> ... [1 - /usr/bin/uptime mrix,] (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / Abo(r)t / (F)inish <PRESS 'a'> ... The following local profiles were changed. Would you like to save them? [1 - /tmp/lp1733700] (S)ave Changes / [(V)iew Changes] / Abo(r)t / (I)gnore - PRESS 's' Writing updated profile for /tmp/lp1733700. $ Verify /tmp/aa-mergeprof/new/tmp.lp1733700 has test1, test2, cat and uptime (old mergeprof would discard includes with absolute paths): $ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # Last Modified: Wed Dec 20 17:16:34 2017 #include <tunables/global> /tmp/lp1733700 { #include "/tmp/test1" #include "/tmp/test2" #include <abstractions/base> #include <abstractions/bash> /bin/cat rix, /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring. = Original description = The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details). Reproducer: $ mkdir /tmp/test $ cat /etc/apparmor.d/lp1733700 profile lp1733700 {   include "/tmp/test" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700 Changing the 'include' to '#include' results in: $ sudo aa-enforce /etc/apparmor.d/lp1733700 Setting /etc/apparmor.d/lp1733700 to enforce mode. At least aa-logprof is also affected. = Original report = On Ubuntu artful, I'm seeing the following behavior:     $ aa-enforce usr.bin.chromium-browser     ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:         include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r, I have never touched snap.core.3440.usr.lib.snapd.snap-confine. This is snapd 2.28.5+17.10. The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations. = test case #0 (testsuite) = $ sudo apt-get install apparmor apparmor-utils # from proposed $ sudo apt-get build-dep apparmor $ sudo apt-get install quilt pyflakes pyflakes3 # pyflakes3 on xenial and higher $ apt-get source apparmor # from proposed $ cd apparmor-* $ quilt push -a $ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python) $ export PYTHON=/usr/bin/python3 $ export PYTHON_VERSION=3 $ export PYTHON_VERSIONS=python3 $ cd libraries/libapparmor $ sh ./autogen.sh $ sh ./configure --prefix=/usr --with-perl --with-python $ make $ cd ../../binutils $ make $ ../parser $ make $ cd ../utils $ make $ make check = test case #1 (aa-enforce) = This assumes test case #0 has been performed. $ mkdir /tmp/test1 /tmp/test2 $ cat /etc/apparmor.d/lp1733700 profile lp1733700 { #include "/tmp/test1" include "/tmp/test2" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails = test case #2 (aa-genprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. $ cat /tmp/lp1733700 #!/bin/sh set -e sh -c "$@" $ chmod 755 /tmp/lp1733700 # run without confinement: $ /tmp/lp1733700 'cat /etc/fstab' | head -1 # /etc/fstab: static file system information. # invoke genprof $ sudo aa-genprof /tmp/lp1733700 ... [(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails ... don't exercise the application any so we just have the default profile ... [(S)can system log for AppArmor events] / (F)inish - PRESS 'f' ... Finished generating profile for /tmp/lp1733700. $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 15:53:07 2017 #include <tunables/global> /tmp/lp1733700 { #include <abstractions/base> #include <abstractions/bash> /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, } = test case #3 (aa-logprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. This also assumes test case #2 was already performed and /etc/apparmor.d/tmp.lp1733700 exists. Disable kernel rate limiting: $ sudo sysctl -w kernel.printk_ratelimit=0 Create mark entry in syslog: $ logger mark-lp1733700 Try running logprof with no new denials: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. $ Adjust /etc/apparmor.d/tmp.lp1733700 to add: #include "/tmp/test1" include "/tmp/test2" Load it into the kernel: $ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700 Create a new denial: $ /tmp/lp1733700 'uptime' sh: 1: uptime: Permission denied $ Try running logprof: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. Profile: /tmp/lp1733700 Execute: /usr/bin/uptime Severity: unknown (I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish ... The following local profiles were changed. Would you like to save them? <PRESS 'i'> [1 - /tmp/lp1733700] (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t <PRESS 's'> Writing updated profile for /tmp/lp1733700. $ Verify the profile for 'uptime' addition and that the /tmp/test1 and /tmp/test2 includes were not removed (it is ok that they are both '#include'): $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 16:19:19 2017 #include <tunables/global> /tmp/lp1733700 { #include "/tmp/test1" #include "/tmp/test2" #include <abstractions/base> #include <abstractions/bash> /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } = test case #4 (aa-mergeprof) = $ mkdir -p /tmp/aa-mergeprof/new $ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions $ touch /tmp/aa-mergeprof/new/tunables/global /tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash $ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old $ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat #include <tunables/global> /tmp/lp1733700 { #include <abstractions/base> #include <abstractions/bash> #include "/tmp/test1" /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } $ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime #include <tunables/global> /tmp/lp1733700 { #include <abstractions/base> #include <abstractions/bash> #include "/tmp/test2" /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /bin/cat ixr, } $ sudo aa-mergeprof -d /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old/tmp.lp1733700 ... [1 - #include "/tmp/test1"] [(A)llow] / (I)gnore / Abo(r)t / (F)inish <PRESS 'a'> ... [1 - /usr/bin/uptime mrix,] (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / Abo(r)t / (F)inish <PRESS 'a'> ... The following local profiles were changed. Would you like to save them? [1 - /tmp/lp1733700] (S)ave Changes / [(V)iew Changes] / Abo(r)t / (I)gnore - PRESS 's' Writing updated profile for /tmp/lp1733700. $ Verify /tmp/aa-mergeprof/new/tmp.lp1733700 has test1, test2, cat and uptime (old mergeprof would discard includes with absolute paths): $ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # Last Modified: Wed Dec 20 17:16:34 2017 #include <tunables/global> /tmp/lp1733700 { #include "/tmp/test1" #include "/tmp/test2" #include <abstractions/base> #include <abstractions/bash> /bin/cat rix, /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring. = Original description = The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details). Reproducer: $ mkdir /tmp/test $ cat /etc/apparmor.d/lp1733700 profile lp1733700 {   include "/tmp/test" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700 Changing the 'include' to '#include' results in: $ sudo aa-enforce /etc/apparmor.d/lp1733700 Setting /etc/apparmor.d/lp1733700 to enforce mode. At least aa-logprof is also affected. = Original report = On Ubuntu artful, I'm seeing the following behavior:     $ aa-enforce usr.bin.chromium-browser     ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:         include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r, I have never touched snap.core.3440.usr.lib.snapd.snap-confine. This is snapd 2.28.5+17.10.
2018-01-05 21:43:55 Jamie Strandboge description The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations. = test case #0 (testsuite) = $ sudo apt-get install apparmor apparmor-utils # from proposed $ sudo apt-get build-dep apparmor $ sudo apt-get install quilt pyflakes pyflakes3 # pyflakes3 on xenial and higher $ apt-get source apparmor # from proposed $ cd apparmor-* $ quilt push -a $ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python) $ export PYTHON=/usr/bin/python3 $ export PYTHON_VERSION=3 $ export PYTHON_VERSIONS=python3 $ cd libraries/libapparmor $ sh ./autogen.sh $ sh ./configure --prefix=/usr --with-perl --with-python $ make $ cd ../../binutils $ make $ ../parser $ make $ cd ../utils $ make $ make check = test case #1 (aa-enforce) = This assumes test case #0 has been performed. $ mkdir /tmp/test1 /tmp/test2 $ cat /etc/apparmor.d/lp1733700 profile lp1733700 { #include "/tmp/test1" include "/tmp/test2" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails = test case #2 (aa-genprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. $ cat /tmp/lp1733700 #!/bin/sh set -e sh -c "$@" $ chmod 755 /tmp/lp1733700 # run without confinement: $ /tmp/lp1733700 'cat /etc/fstab' | head -1 # /etc/fstab: static file system information. # invoke genprof $ sudo aa-genprof /tmp/lp1733700 ... [(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails ... don't exercise the application any so we just have the default profile ... [(S)can system log for AppArmor events] / (F)inish - PRESS 'f' ... Finished generating profile for /tmp/lp1733700. $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 15:53:07 2017 #include <tunables/global> /tmp/lp1733700 { #include <abstractions/base> #include <abstractions/bash> /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, } = test case #3 (aa-logprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. This also assumes test case #2 was already performed and /etc/apparmor.d/tmp.lp1733700 exists. Disable kernel rate limiting: $ sudo sysctl -w kernel.printk_ratelimit=0 Create mark entry in syslog: $ logger mark-lp1733700 Try running logprof with no new denials: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. $ Adjust /etc/apparmor.d/tmp.lp1733700 to add: #include "/tmp/test1" include "/tmp/test2" Load it into the kernel: $ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700 Create a new denial: $ /tmp/lp1733700 'uptime' sh: 1: uptime: Permission denied $ Try running logprof: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. Profile: /tmp/lp1733700 Execute: /usr/bin/uptime Severity: unknown (I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish ... The following local profiles were changed. Would you like to save them? <PRESS 'i'> [1 - /tmp/lp1733700] (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t <PRESS 's'> Writing updated profile for /tmp/lp1733700. $ Verify the profile for 'uptime' addition and that the /tmp/test1 and /tmp/test2 includes were not removed (it is ok that they are both '#include'): $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 16:19:19 2017 #include <tunables/global> /tmp/lp1733700 { #include "/tmp/test1" #include "/tmp/test2" #include <abstractions/base> #include <abstractions/bash> /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } = test case #4 (aa-mergeprof) = $ mkdir -p /tmp/aa-mergeprof/new $ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions $ touch /tmp/aa-mergeprof/new/tunables/global /tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash $ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old $ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat #include <tunables/global> /tmp/lp1733700 { #include <abstractions/base> #include <abstractions/bash> #include "/tmp/test1" /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } $ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime #include <tunables/global> /tmp/lp1733700 { #include <abstractions/base> #include <abstractions/bash> #include "/tmp/test2" /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /bin/cat ixr, } $ sudo aa-mergeprof -d /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old/tmp.lp1733700 ... [1 - #include "/tmp/test1"] [(A)llow] / (I)gnore / Abo(r)t / (F)inish <PRESS 'a'> ... [1 - /usr/bin/uptime mrix,] (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / Abo(r)t / (F)inish <PRESS 'a'> ... The following local profiles were changed. Would you like to save them? [1 - /tmp/lp1733700] (S)ave Changes / [(V)iew Changes] / Abo(r)t / (I)gnore - PRESS 's' Writing updated profile for /tmp/lp1733700. $ Verify /tmp/aa-mergeprof/new/tmp.lp1733700 has test1, test2, cat and uptime (old mergeprof would discard includes with absolute paths): $ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # Last Modified: Wed Dec 20 17:16:34 2017 #include <tunables/global> /tmp/lp1733700 { #include "/tmp/test1" #include "/tmp/test2" #include <abstractions/base> #include <abstractions/bash> /bin/cat rix, /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring. = Original description = The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details). Reproducer: $ mkdir /tmp/test $ cat /etc/apparmor.d/lp1733700 profile lp1733700 {   include "/tmp/test" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700 Changing the 'include' to '#include' results in: $ sudo aa-enforce /etc/apparmor.d/lp1733700 Setting /etc/apparmor.d/lp1733700 to enforce mode. At least aa-logprof is also affected. = Original report = On Ubuntu artful, I'm seeing the following behavior:     $ aa-enforce usr.bin.chromium-browser     ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:         include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r, I have never touched snap.core.3440.usr.lib.snapd.snap-confine. This is snapd 2.28.5+17.10. The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations. = test case #0 (testsuite) = $ sudo apt-get install apparmor apparmor-utils # from proposed $ sudo apt-get build-dep apparmor $ sudo apt-get install quilt realpath pyflakes pyflakes3 # pyflakes3 on xenial and higher $ apt-get source apparmor # from proposed $ cd apparmor-* $ quilt push -a $ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python) $ export PYTHON=/usr/bin/python3 $ export PYTHON_VERSION=3 $ export PYTHON_VERSIONS=python3 $ cd libraries/libapparmor $ sh ./autogen.sh $ sh ./configure --prefix=/usr --with-perl --with-python $ make $ cd ../../binutils $ make $ ../parser $ make $ cd ../utils $ make $ make check = test case #1 (aa-enforce) = This assumes test case #0 has been performed. $ mkdir /tmp/test1 /tmp/test2 $ cat /etc/apparmor.d/lp1733700 profile lp1733700 {   #include "/tmp/test1"   include "/tmp/test2" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails = test case #2 (aa-genprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. $ cat /tmp/lp1733700 #!/bin/sh set -e sh -c "$@" $ chmod 755 /tmp/lp1733700 # run without confinement: $ /tmp/lp1733700 'cat /etc/fstab' | head -1 # /etc/fstab: static file system information. # invoke genprof $ sudo aa-genprof /tmp/lp1733700 ... [(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails ... don't exercise the application any so we just have the default profile ... [(S)can system log for AppArmor events] / (F)inish - PRESS 'f' ... Finished generating profile for /tmp/lp1733700. $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 15:53:07 2017 #include <tunables/global> /tmp/lp1733700 {   #include <abstractions/base>   #include <abstractions/bash>   /bin/dash ix,   /lib/x86_64-linux-gnu/ld-*.so mr,   /tmp/lp1733700 r, } = test case #3 (aa-logprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. This also assumes test case #2 was already performed and /etc/apparmor.d/tmp.lp1733700 exists. Disable kernel rate limiting: $ sudo sysctl -w kernel.printk_ratelimit=0 Create mark entry in syslog: $ logger mark-lp1733700 Try running logprof with no new denials: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. $ Adjust /etc/apparmor.d/tmp.lp1733700 to add:   #include "/tmp/test1"   include "/tmp/test2" Load it into the kernel: $ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700 Create a new denial: $ /tmp/lp1733700 'uptime' sh: 1: uptime: Permission denied $ Try running logprof: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. Profile: /tmp/lp1733700 Execute: /usr/bin/uptime Severity: unknown (I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish ... The following local profiles were changed. Would you like to save them? <PRESS 'i'>  [1 - /tmp/lp1733700] (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t <PRESS 's'> Writing updated profile for /tmp/lp1733700. $ Verify the profile for 'uptime' addition and that the /tmp/test1 and /tmp/test2 includes were not removed (it is ok that they are both '#include'): $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 16:19:19 2017 #include <tunables/global> /tmp/lp1733700 {   #include "/tmp/test1"   #include "/tmp/test2"   #include <abstractions/base>   #include <abstractions/bash>   /bin/dash ix,   /lib/x86_64-linux-gnu/ld-*.so mr,   /tmp/lp1733700 r,   /usr/bin/uptime mrix, } = test case #4 (aa-mergeprof) = $ mkdir -p /tmp/aa-mergeprof/new $ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions $ touch /tmp/aa-mergeprof/new/tunables/global /tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash $ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old $ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat #include <tunables/global> /tmp/lp1733700 {   #include <abstractions/base>   #include <abstractions/bash>   #include "/tmp/test1"   /bin/dash ix,   /lib/x86_64-linux-gnu/ld-*.so mr,   /tmp/lp1733700 r,   /usr/bin/uptime mrix, } $ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime #include <tunables/global> /tmp/lp1733700 {   #include <abstractions/base>   #include <abstractions/bash>   #include "/tmp/test2"   /bin/dash ix,   /lib/x86_64-linux-gnu/ld-*.so mr,   /tmp/lp1733700 r,   /bin/cat ixr, } $ sudo aa-mergeprof -d /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old/tmp.lp1733700 ...  [1 - #include "/tmp/test1"] [(A)llow] / (I)gnore / Abo(r)t / (F)inish <PRESS 'a'> ...  [1 - /usr/bin/uptime mrix,] (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / Abo(r)t / (F)inish <PRESS 'a'> ... The following local profiles were changed. Would you like to save them?  [1 - /tmp/lp1733700] (S)ave Changes / [(V)iew Changes] / Abo(r)t / (I)gnore - PRESS 's' Writing updated profile for /tmp/lp1733700. $ Verify /tmp/aa-mergeprof/new/tmp.lp1733700 has test1, test2, cat and uptime (old mergeprof would discard includes with absolute paths): $ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # Last Modified: Wed Dec 20 17:16:34 2017 #include <tunables/global> /tmp/lp1733700 {   #include "/tmp/test1"   #include "/tmp/test2"   #include <abstractions/base>   #include <abstractions/bash>   /bin/cat rix,   /bin/dash ix,   /lib/x86_64-linux-gnu/ld-*.so mr,   /tmp/lp1733700 r,   /usr/bin/uptime mrix, } Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring. = Original description = The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details). Reproducer: $ mkdir /tmp/test $ cat /etc/apparmor.d/lp1733700 profile lp1733700 {   include "/tmp/test" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700 Changing the 'include' to '#include' results in: $ sudo aa-enforce /etc/apparmor.d/lp1733700 Setting /etc/apparmor.d/lp1733700 to enforce mode. At least aa-logprof is also affected. = Original report = On Ubuntu artful, I'm seeing the following behavior:     $ aa-enforce usr.bin.chromium-browser     ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:         include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r, I have never touched snap.core.3440.usr.lib.snapd.snap-confine. This is snapd 2.28.5+17.10.
2018-01-05 23:14:43 Jamie Strandboge apparmor (Ubuntu Artful): status Triaged In Progress
2018-01-05 23:14:48 Jamie Strandboge apparmor (Ubuntu Xenial): status Triaged In Progress
2018-01-05 23:14:51 Jamie Strandboge apparmor (Ubuntu Trusty): status Triaged In Progress
2018-02-15 21:11:18 Jamie Strandboge apparmor (Ubuntu Zesty): status Triaged Won't Fix
2018-02-15 21:14:47 Jamie Strandboge apparmor (Ubuntu Trusty): status In Progress Won't Fix
2018-02-15 21:14:50 Jamie Strandboge apparmor (Ubuntu Xenial): status In Progress Won't Fix
2018-02-15 21:14:53 Jamie Strandboge apparmor (Ubuntu Artful): status In Progress Won't Fix
2018-02-15 21:15:02 Jamie Strandboge apparmor (Ubuntu Bionic): status In Progress Triaged
2018-02-15 21:15:08 Jamie Strandboge apparmor (Ubuntu Bionic): assignee Jamie Strandboge (jdstrand)
2018-03-20 20:29:24 Launchpad Janitor apparmor (Ubuntu Bionic): status Triaged Fix Released