[Touch-packages] [Bug 1733700] Re: python tools do not understand 'non-magic' include rules
This bug was fixed in the package apparmor - 2.12-4ubuntu1
---
apparmor (2.12-4ubuntu1) bionic; urgency=medium
[ Tyler Hicks ]
* Merge from Debian to get gbp-pq related packaging improvements. Thanks to
intrigeri for making those improvements! Remaining Ubuntu changes:
- debian/gbp.conf: Use ubuntu/master as the debian-branch
- Update package maintainer to be Ubuntu Developers in the control file
- Call handle_system_policy_package_updates in apparmor.init.
This is needed for snappy and system-images. Note that this prevents
using a remove /var.
- Apply Ubuntu-specific patches
+ parser-include-usr-share-apparmor.patch
+ profiles-grant-access-to-systemd-resolved.patch
+ add-chromium-browser.patch
- Install Ubuntu chromium-browser profile and abstraction
- Feature pinning is not used in Ubuntu
[ intrigeri ]
* Adjust the Vcs-{Browser,Git} control fields to reflect the branch where
the Ubuntu packaging is maintained.
apparmor (2.12-4) unstable; urgency=medium
* Migrate patch handling to gbp-pq (Closes: #888244).
* Merge 2.12-3ubuntu1 (dropping the Ubuntu delta):
- upstream-commit-46f88f5-properly-identify-empty-ouid-fsuid-fields.patch:
new patch, properly identify empty ouid/fsuid fields in logs.
- upstream-commit-130958a-allow-shell-helper-read-locale.patch:
new patch, allow the shell helper regression test program read
the locale.
-- Tyler Hicks Mon, 19 Mar 2018 16:24:57 +
** Changed in: apparmor (Ubuntu Bionic)
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1733700
Title:
python tools do not understand 'non-magic' include rules
Status in AppArmor:
Fix Released
Status in apparmor package in Ubuntu:
Fix Released
Status in apparmor source package in Trusty:
Won't Fix
Status in apparmor source package in Xenial:
Won't Fix
Status in apparmor source package in Zesty:
Won't Fix
Status in apparmor source package in Artful:
Won't Fix
Status in apparmor source package in Bionic:
Fix Released
Bug description:
The apparmor parser supports 'include' and '#include' rules for
specifying absolute paths, but the python tools only understand
include rules for so called 'magic' '<>' file locations.
= test case #0 (testsuite) =
$ sudo apt-get install apparmor apparmor-utils # from proposed
$ sudo apt-get build-dep apparmor
$ sudo apt-get install quilt realpath pyflakes pyflakes3 # pyflakes3 on
xenial and higher
$ apt-get source apparmor # from proposed
$ cd apparmor-*
$ quilt push -a
$ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python)
$ export PYTHON=/usr/bin/python3
$ export PYTHON_VERSION=3
$ export PYTHON_VERSIONS=python3
$ cd libraries/libapparmor
$ sh ./autogen.sh
$ sh ./configure --prefix=/usr --with-perl --with-python
$ make
$ cd ../../binutils
$ make
$ ../parser
$ make
$ cd ../utils
$ make
$ make check
= test case #1 (aa-enforce) =
This assumes test case #0 has been performed.
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
#include "/tmp/test1"
include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails
= test case #2 (aa-genprof) =
This assumes test case #1 was already performed and
/etc/apparmor.d/lp1733700 exists with the above includes.
$ cat /tmp/lp1733700
#!/bin/sh
set -e
sh -c "$@"
$ chmod 755 /tmp/lp1733700
# run without confinement:
$ /tmp/lp1733700 'cat /etc/fstab' | head -1
# /etc/fstab: static file system information.
# invoke genprof
$ sudo aa-genprof /tmp/lp1733700
...
[(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently
fails
... don't exercise the application any so we just have the default profile ...
[(S)can system log for AppArmor events] / (F)inish - PRESS 'f'
...
Finished generating profile for /tmp/lp1733700.
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 15:53:07 2017
#include
/tmp/lp1733700 {
#include
#include
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
}
= test case #3 (aa-logprof) =
This assumes test case #1 was already performed and
/etc/apparmor.d/lp1733700 exists with the above includes.
This also assumes test case #2 was already performed and
/etc/apparmor.d/tmp.lp1733700 exists.
Disable kernel rate limiting:
$ sudo sysctl -w kernel.printk_ratelimit=0
Create mark entry in syslog:
$ logger mark-lp1733700
Try running logprof with no new denials:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
$
Adj
[Touch-packages] [Bug 1733700] Re: python tools do not understand 'non-magic' include rules
Due to the builder being down for meltdown/spectre, the patches for this
were delayed. However, the 3rd core snap without the issue (2.29.4.2,
2.30 and the upcoming 2.31.1) that caused this problem is about to be
released meaning the affected core snap revision is about to be reaped
which will resolve this bug for those users. As a result, marking all
stable releases of Ubuntu as Won't Fix. Bionic will be fixed with the
upcoming 2.12 merge from Debian.
** Changed in: apparmor (Ubuntu Zesty)
Status: Triaged => Won't Fix
** Changed in: apparmor (Ubuntu Trusty)
Status: In Progress => Won't Fix
** Changed in: apparmor (Ubuntu Xenial)
Status: In Progress => Won't Fix
** Changed in: apparmor (Ubuntu Artful)
Status: In Progress => Won't Fix
** Changed in: apparmor (Ubuntu Bionic)
Status: In Progress => Triaged
** Changed in: apparmor (Ubuntu Bionic)
Assignee: Jamie Strandboge (jdstrand) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1733700
Title:
python tools do not understand 'non-magic' include rules
Status in AppArmor:
Fix Released
Status in apparmor package in Ubuntu:
Triaged
Status in apparmor source package in Trusty:
Won't Fix
Status in apparmor source package in Xenial:
Won't Fix
Status in apparmor source package in Zesty:
Won't Fix
Status in apparmor source package in Artful:
Won't Fix
Status in apparmor source package in Bionic:
Triaged
Bug description:
The apparmor parser supports 'include' and '#include' rules for
specifying absolute paths, but the python tools only understand
include rules for so called 'magic' '<>' file locations.
= test case #0 (testsuite) =
$ sudo apt-get install apparmor apparmor-utils # from proposed
$ sudo apt-get build-dep apparmor
$ sudo apt-get install quilt realpath pyflakes pyflakes3 # pyflakes3 on
xenial and higher
$ apt-get source apparmor # from proposed
$ cd apparmor-*
$ quilt push -a
$ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python)
$ export PYTHON=/usr/bin/python3
$ export PYTHON_VERSION=3
$ export PYTHON_VERSIONS=python3
$ cd libraries/libapparmor
$ sh ./autogen.sh
$ sh ./configure --prefix=/usr --with-perl --with-python
$ make
$ cd ../../binutils
$ make
$ ../parser
$ make
$ cd ../utils
$ make
$ make check
= test case #1 (aa-enforce) =
This assumes test case #0 has been performed.
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
#include "/tmp/test1"
include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails
= test case #2 (aa-genprof) =
This assumes test case #1 was already performed and
/etc/apparmor.d/lp1733700 exists with the above includes.
$ cat /tmp/lp1733700
#!/bin/sh
set -e
sh -c "$@"
$ chmod 755 /tmp/lp1733700
# run without confinement:
$ /tmp/lp1733700 'cat /etc/fstab' | head -1
# /etc/fstab: static file system information.
# invoke genprof
$ sudo aa-genprof /tmp/lp1733700
...
[(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently
fails
... don't exercise the application any so we just have the default profile ...
[(S)can system log for AppArmor events] / (F)inish - PRESS 'f'
...
Finished generating profile for /tmp/lp1733700.
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 15:53:07 2017
#include
/tmp/lp1733700 {
#include
#include
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
}
= test case #3 (aa-logprof) =
This assumes test case #1 was already performed and
/etc/apparmor.d/lp1733700 exists with the above includes.
This also assumes test case #2 was already performed and
/etc/apparmor.d/tmp.lp1733700 exists.
Disable kernel rate limiting:
$ sudo sysctl -w kernel.printk_ratelimit=0
Create mark entry in syslog:
$ logger mark-lp1733700
Try running logprof with no new denials:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
$
Adjust /etc/apparmor.d/tmp.lp1733700 to add:
#include "/tmp/test1"
include "/tmp/test2"
Load it into the kernel:
$ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700
Create a new denial:
$ /tmp/lp1733700 'uptime'
sh: 1: uptime: Permission denied
$
Try running logprof:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Profile: /tmp/lp1733700
Execute: /usr/bin/uptime
Severity: unknown
(I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish
...
The following local profiles were changed. Would y
[Touch-packages] [Bug 1733700] Re: python tools do not understand 'non-magic' include rules
** Changed in: apparmor (Ubuntu Artful)
Status: Triaged => In Progress
** Changed in: apparmor (Ubuntu Xenial)
Status: Triaged => In Progress
** Changed in: apparmor (Ubuntu Trusty)
Status: Triaged => In Progress
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1733700
Title:
python tools do not understand 'non-magic' include rules
Status in AppArmor:
Fix Released
Status in apparmor package in Ubuntu:
In Progress
Status in apparmor source package in Trusty:
In Progress
Status in apparmor source package in Xenial:
In Progress
Status in apparmor source package in Zesty:
Triaged
Status in apparmor source package in Artful:
In Progress
Status in apparmor source package in Bionic:
In Progress
Bug description:
The apparmor parser supports 'include' and '#include' rules for
specifying absolute paths, but the python tools only understand
include rules for so called 'magic' '<>' file locations.
= test case #0 (testsuite) =
$ sudo apt-get install apparmor apparmor-utils # from proposed
$ sudo apt-get build-dep apparmor
$ sudo apt-get install quilt realpath pyflakes pyflakes3 # pyflakes3 on
xenial and higher
$ apt-get source apparmor # from proposed
$ cd apparmor-*
$ quilt push -a
$ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python)
$ export PYTHON=/usr/bin/python3
$ export PYTHON_VERSION=3
$ export PYTHON_VERSIONS=python3
$ cd libraries/libapparmor
$ sh ./autogen.sh
$ sh ./configure --prefix=/usr --with-perl --with-python
$ make
$ cd ../../binutils
$ make
$ ../parser
$ make
$ cd ../utils
$ make
$ make check
= test case #1 (aa-enforce) =
This assumes test case #0 has been performed.
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
#include "/tmp/test1"
include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails
= test case #2 (aa-genprof) =
This assumes test case #1 was already performed and
/etc/apparmor.d/lp1733700 exists with the above includes.
$ cat /tmp/lp1733700
#!/bin/sh
set -e
sh -c "$@"
$ chmod 755 /tmp/lp1733700
# run without confinement:
$ /tmp/lp1733700 'cat /etc/fstab' | head -1
# /etc/fstab: static file system information.
# invoke genprof
$ sudo aa-genprof /tmp/lp1733700
...
[(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently
fails
... don't exercise the application any so we just have the default profile ...
[(S)can system log for AppArmor events] / (F)inish - PRESS 'f'
...
Finished generating profile for /tmp/lp1733700.
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 15:53:07 2017
#include
/tmp/lp1733700 {
#include
#include
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
}
= test case #3 (aa-logprof) =
This assumes test case #1 was already performed and
/etc/apparmor.d/lp1733700 exists with the above includes.
This also assumes test case #2 was already performed and
/etc/apparmor.d/tmp.lp1733700 exists.
Disable kernel rate limiting:
$ sudo sysctl -w kernel.printk_ratelimit=0
Create mark entry in syslog:
$ logger mark-lp1733700
Try running logprof with no new denials:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
$
Adjust /etc/apparmor.d/tmp.lp1733700 to add:
#include "/tmp/test1"
include "/tmp/test2"
Load it into the kernel:
$ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700
Create a new denial:
$ /tmp/lp1733700 'uptime'
sh: 1: uptime: Permission denied
$
Try running logprof:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Profile: /tmp/lp1733700
Execute: /usr/bin/uptime
Severity: unknown
(I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish
...
The following local profiles were changed. Would you like to save them?
[1 - /tmp/lp1733700]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes
b/w (C)lean profiles / Abo(r)t
Writing updated profile for /tmp/lp1733700.
$
Verify the profile for 'uptime' addition and that the /tmp/test1 and
/tmp/test2 includes were not removed (it is ok that they are both
'#include'):
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 16:19:19 2017
#include
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include
#include
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
= test case #4 (aa-mergepro
[Touch-packages] [Bug 1733700] Re: python tools do not understand 'non-magic' include rules
** Description changed:
The apparmor parser supports 'include' and '#include' rules for
specifying absolute paths, but the python tools only understand include
rules for so called 'magic' '<>' file locations.
= test case #0 (testsuite) =
$ sudo apt-get install apparmor apparmor-utils # from proposed
$ sudo apt-get build-dep apparmor
- $ sudo apt-get install quilt pyflakes pyflakes3 # pyflakes3 on xenial and
higher
+ $ sudo apt-get install quilt realpath pyflakes pyflakes3 # pyflakes3 on
xenial and higher
$ apt-get source apparmor # from proposed
$ cd apparmor-*
$ quilt push -a
$ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python)
$ export PYTHON=/usr/bin/python3
$ export PYTHON_VERSION=3
$ export PYTHON_VERSIONS=python3
$ cd libraries/libapparmor
$ sh ./autogen.sh
$ sh ./configure --prefix=/usr --with-perl --with-python
$ make
$ cd ../../binutils
$ make
$ ../parser
$ make
$ cd ../utils
$ make
$ make check
= test case #1 (aa-enforce) =
This assumes test case #0 has been performed.
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
- #include "/tmp/test1"
- include "/tmp/test2"
+ #include "/tmp/test1"
+ include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails
-
= test case #2 (aa-genprof) =
This assumes test case #1 was already performed and
/etc/apparmor.d/lp1733700 exists with the above includes.
$ cat /tmp/lp1733700
#!/bin/sh
set -e
sh -c "$@"
$ chmod 755 /tmp/lp1733700
# run without confinement:
$ /tmp/lp1733700 'cat /etc/fstab' | head -1
# /etc/fstab: static file system information.
# invoke genprof
$ sudo aa-genprof /tmp/lp1733700
...
[(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently
fails
... don't exercise the application any so we just have the default profile ...
[(S)can system log for AppArmor events] / (F)inish - PRESS 'f'
...
Finished generating profile for /tmp/lp1733700.
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 15:53:07 2017
#include
/tmp/lp1733700 {
- #include
- #include
-
- /bin/dash ix,
- /lib/x86_64-linux-gnu/ld-*.so mr,
- /tmp/lp1733700 r,
-
- }
-
+ #include
+ #include
+
+ /bin/dash ix,
+ /lib/x86_64-linux-gnu/ld-*.so mr,
+ /tmp/lp1733700 r,
+
+ }
= test case #3 (aa-logprof) =
This assumes test case #1 was already performed and
/etc/apparmor.d/lp1733700 exists with the above includes.
This also assumes test case #2 was already performed and
/etc/apparmor.d/tmp.lp1733700 exists.
Disable kernel rate limiting:
$ sudo sysctl -w kernel.printk_ratelimit=0
Create mark entry in syslog:
$ logger mark-lp1733700
Try running logprof with no new denials:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
$
Adjust /etc/apparmor.d/tmp.lp1733700 to add:
- #include "/tmp/test1"
- include "/tmp/test2"
+ #include "/tmp/test1"
+ include "/tmp/test2"
Load it into the kernel:
$ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700
Create a new denial:
$ /tmp/lp1733700 'uptime'
sh: 1: uptime: Permission denied
$
Try running logprof:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Profile: /tmp/lp1733700
Execute: /usr/bin/uptime
Severity: unknown
(I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish
...
The following local profiles were changed. Would you like to save them?
- [1 - /tmp/lp1733700]
+ [1 - /tmp/lp1733700]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes
b/w (C)lean profiles / Abo(r)t
Writing updated profile for /tmp/lp1733700.
$
Verify the profile for 'uptime' addition and that the /tmp/test1 and
/tmp/test2 includes were not removed (it is ok that they are both
'#include'):
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 16:19:19 2017
#include
/tmp/lp1733700 {
- #include "/tmp/test1"
- #include "/tmp/test2"
- #include
- #include
-
- /bin/dash ix,
- /lib/x86_64-linux-gnu/ld-*.so mr,
- /tmp/lp1733700 r,
- /usr/bin/uptime mrix,
-
- }
-
+ #include "/tmp/test1"
+ #include "/tmp/test2"
+ #include
+ #include
+
+ /bin/dash ix,
+ /lib/x86_64-linux-gnu/ld-*.so mr,
+ /tmp/lp1733700 r,
+ /usr/bin/uptime mrix,
+
+ }
= test case #4 (aa-mergeprof) =
$ mkdir -p /tmp/aa-mergeprof/new
$ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions
$ touch /tmp/aa-mergeprof/new/tunables/global
/tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash
[Touch-packages] [Bug 1733700] Re: python tools do not understand 'non-magic' include rules
** Description changed:
The apparmor parser supports 'include' and '#include' rules for
specifying absolute paths, but the python tools only understand include
rules for so called 'magic' '<>' file locations.
= test case #0 (testsuite) =
- $ sudo apt-get install apparmor apparmor-utils # not required with 2.12
+ $ sudo apt-get install apparmor apparmor-utils # from proposed
$ sudo apt-get build-dep apparmor
- $ sudo apt-get install quilt pyflakes pyflakes3
- $ apt-get source apparmor
+ $ sudo apt-get install quilt pyflakes pyflakes3 # pyflakes3 on xenial and
higher
+ $ apt-get source apparmor # from proposed
$ cd apparmor-*
$ quilt push -a
$ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python)
$ export PYTHON=/usr/bin/python3
$ export PYTHON_VERSION=3
$ export PYTHON_VERSIONS=python3
$ cd libraries/libapparmor
$ sh ./autogen.sh
$ sh ./configure --prefix=/usr --with-perl --with-python
$ make
$ cd ../../binutils
$ make
$ ../parser
$ make
$ cd ../utils
$ make
$ make check
= test case #1 (aa-enforce) =
+
+ This assumes test case #0 has been performed.
+
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
#include "/tmp/test1"
include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails
= test case #2 (aa-genprof) =
This assumes test case #1 was already performed and
/etc/apparmor.d/lp1733700 exists with the above includes.
$ cat /tmp/lp1733700
#!/bin/sh
set -e
sh -c "$@"
$ chmod 755 /tmp/lp1733700
# run without confinement:
$ /tmp/lp1733700 'cat /etc/fstab' | head -1
# /etc/fstab: static file system information.
# invoke genprof
$ sudo aa-genprof /tmp/lp1733700
...
[(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently
fails
... don't exercise the application any so we just have the default profile ...
[(S)can system log for AppArmor events] / (F)inish - PRESS 'f'
...
Finished generating profile for /tmp/lp1733700.
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 15:53:07 2017
#include
/tmp/lp1733700 {
#include
#include
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
}
= test case #3 (aa-logprof) =
This assumes test case #1 was already performed and
/etc/apparmor.d/lp1733700 exists with the above includes.
This also assumes test case #2 was already performed and
/etc/apparmor.d/tmp.lp1733700 exists.
Disable kernel rate limiting:
$ sudo sysctl -w kernel.printk_ratelimit=0
Create mark entry in syslog:
$ logger mark-lp1733700
Try running logprof with no new denials:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
$
Adjust /etc/apparmor.d/tmp.lp1733700 to add:
#include "/tmp/test1"
include "/tmp/test2"
Load it into the kernel:
$ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700
Create a new denial:
$ /tmp/lp1733700 'uptime'
sh: 1: uptime: Permission denied
$
Try running logprof:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Profile: /tmp/lp1733700
Execute: /usr/bin/uptime
Severity: unknown
(I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish
...
The following local profiles were changed. Would you like to save them?
[1 - /tmp/lp1733700]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes
b/w (C)lean profiles / Abo(r)t
Writing updated profile for /tmp/lp1733700.
$
Verify the profile for 'uptime' addition and that the /tmp/test1 and
/tmp/test2 includes were not removed (it is ok that they are both
'#include'):
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 16:19:19 2017
#include
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include
#include
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
= test case #4 (aa-mergeprof) =
$ mkdir -p /tmp/aa-mergeprof/new
$ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions
$ touch /tmp/aa-mergeprof/new/tunables/global
/tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash
$ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old
$ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat
#include
/tmp/lp1733700 {
#include
#include
#include "/tmp/test1"
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
$ cat /tmp/aa-mergeprof/new/tmp.lp1733700 #
[Touch-packages] [Bug 1733700] Re: python tools do not understand 'non-magic' include rules
** Description changed:
The apparmor parser supports 'include' and '#include' rules for
specifying absolute paths, but the python tools only understand include
rules for so called 'magic' '<>' file locations.
+ = test case #0 (testsuite) =
+ $ sudo apt-get install apparmor apparmor-utils # not required with 2.12
+ $ sudo apt-get build-dep apparmor
+ $ sudo apt-get install quilt pyflakes pyflakes3
+ $ apt-get source apparmor
+ $ cd apparmor-*
+ $ quilt push -a
+ $ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python)
+ $ export PYTHON=/usr/bin/python3
+ $ export PYTHON_VERSION=3
+ $ export PYTHON_VERSIONS=python3
+ $ cd libraries/libapparmor
+ $ sh ./autogen.sh
+ $ sh ./configure --prefix=/usr --with-perl --with-python
+ $ make
+ $ cd ../../binutils
+ $ make
+ $ ../parser
+ $ make
+ $ cd ../utils
+ $ make
+ $ make check
= test case #1 (aa-enforce) =
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
#include "/tmp/test1"
include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails
= test case #2 (aa-genprof) =
This assumes test case #1 was already performed and
/etc/apparmor.d/lp1733700 exists with the above includes.
$ cat /tmp/lp1733700
#!/bin/sh
set -e
sh -c "$@"
# run without confinement:
$ /tmp/lp1733700 'cat /etc/fstab' | head -1
# /etc/fstab: static file system information.
# invoke genprof
$ sudo aa-genprof /tmp/lp1733700
...
[(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently
fails
... don't exercise the application any so we just have the default profile ...
[(S)can system log for AppArmor events] / (F)inish - PRESS 'f'
...
Finished generating profile for /tmp/lp1733700.
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 15:53:07 2017
#include
/tmp/lp1733700 {
#include
#include
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
}
= test case #3 (aa-logprof) =
This assumes test case #1 was already performed and
/etc/apparmor.d/lp1733700 exists with the above includes.
This also assumes test case #2 was already performed and
/etc/apparmor.d/tmp.lp1733700 exists.
Disable kernel rate limiting:
$ sudo sysctl -w kernel.printk_ratelimit=0
Create mark entry in syslog:
$ logger mark-lp1733700
Try running logprof with no new denials:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
$
Adjust /etc/apparmor.d/tmp.lp1733700 to add:
#include "/tmp/test1"
include "/tmp/test2"
Load it into the kernel:
$ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700
Create a new denial:
$ /tmp/lp1733700 'uptime'
sh: 1: uptime: Permission denied
$
Try running logprof:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Profile: /tmp/lp1733700
Execute: /usr/bin/uptime
Severity: unknown
(I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish
...
The following local profiles were changed. Would you like to save them?
[1 - /tmp/lp1733700]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes
b/w (C)lean profiles / Abo(r)t
Writing updated profile for /tmp/lp1733700.
$
Verify the profile for 'uptime' addition and that the /tmp/test1 and
/tmp/test2 includes were not removed (it is ok that they are both
'#include'):
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 16:19:19 2017
#include
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include
#include
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
= test case #4 (aa-mergeprof) =
$ mkdir -p /tmp/aa-mergeprof/new
$ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions
$ touch /tmp/aa-mergeprof/new/tunables/global
/tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash
$ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old
$ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat
#include
/tmp/lp1733700 {
#include
#include
#include "/tmp/test1"
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
$ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime
#include
/tmp/lp1733700 {
#include
#include
#include "/tmp/test2"
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/bin/cat ixr,
}
$ sudo aa-mergeprof -d /tmp/aa-mergeprof/new
/tmp/a
[Touch-packages] [Bug 1733700] Re: python tools do not understand 'non-magic' include rules
** Changed in: apparmor (Ubuntu Trusty)
Assignee: (unassigned) => Jamie Strandboge (jdstrand)
** Changed in: apparmor (Ubuntu Xenial)
Assignee: (unassigned) => Jamie Strandboge (jdstrand)
** Changed in: apparmor (Ubuntu Zesty)
Assignee: (unassigned) => Jamie Strandboge (jdstrand)
** Changed in: apparmor (Ubuntu Artful)
Assignee: (unassigned) => Jamie Strandboge (jdstrand)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1733700
Title:
python tools do not understand 'non-magic' include rules
Status in AppArmor:
Fix Released
Status in apparmor package in Ubuntu:
In Progress
Status in apparmor source package in Trusty:
Triaged
Status in apparmor source package in Xenial:
Triaged
Status in apparmor source package in Zesty:
Triaged
Status in apparmor source package in Artful:
Triaged
Status in apparmor source package in Bionic:
In Progress
Bug description:
The apparmor parser supports 'include' and '#include' rules for
specifying absolute paths, but the python tools only understand
include rules for so called 'magic' '<>' file locations.
= test case #0 (testsuite) =
$ sudo apt-get install apparmor apparmor-utils # not required with 2.12
$ sudo apt-get build-dep apparmor
$ sudo apt-get install quilt pyflakes pyflakes3
$ apt-get source apparmor
$ cd apparmor-*
$ quilt push -a
$ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python)
$ export PYTHON=/usr/bin/python3
$ export PYTHON_VERSION=3
$ export PYTHON_VERSIONS=python3
$ cd libraries/libapparmor
$ sh ./autogen.sh
$ sh ./configure --prefix=/usr --with-perl --with-python
$ make
$ cd ../../binutils
$ make
$ ../parser
$ make
$ cd ../utils
$ make
$ make check
= test case #1 (aa-enforce) =
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
#include "/tmp/test1"
include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails
= test case #2 (aa-genprof) =
This assumes test case #1 was already performed and
/etc/apparmor.d/lp1733700 exists with the above includes.
$ cat /tmp/lp1733700
#!/bin/sh
set -e
sh -c "$@"
$ chmod 755 /tmp/lp1733700
# run without confinement:
$ /tmp/lp1733700 'cat /etc/fstab' | head -1
# /etc/fstab: static file system information.
# invoke genprof
$ sudo aa-genprof /tmp/lp1733700
...
[(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently
fails
... don't exercise the application any so we just have the default profile ...
[(S)can system log for AppArmor events] / (F)inish - PRESS 'f'
...
Finished generating profile for /tmp/lp1733700.
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 15:53:07 2017
#include
/tmp/lp1733700 {
#include
#include
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
}
= test case #3 (aa-logprof) =
This assumes test case #1 was already performed and
/etc/apparmor.d/lp1733700 exists with the above includes.
This also assumes test case #2 was already performed and
/etc/apparmor.d/tmp.lp1733700 exists.
Disable kernel rate limiting:
$ sudo sysctl -w kernel.printk_ratelimit=0
Create mark entry in syslog:
$ logger mark-lp1733700
Try running logprof with no new denials:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
$
Adjust /etc/apparmor.d/tmp.lp1733700 to add:
#include "/tmp/test1"
include "/tmp/test2"
Load it into the kernel:
$ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700
Create a new denial:
$ /tmp/lp1733700 'uptime'
sh: 1: uptime: Permission denied
$
Try running logprof:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Profile: /tmp/lp1733700
Execute: /usr/bin/uptime
Severity: unknown
(I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish
...
The following local profiles were changed. Would you like to save them?
[1 - /tmp/lp1733700]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes
b/w (C)lean profiles / Abo(r)t
Writing updated profile for /tmp/lp1733700.
$
Verify the profile for 'uptime' addition and that the /tmp/test1 and
/tmp/test2 includes were not removed (it is ok that they are both
'#include'):
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 16:19:19 2017
#include
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include
#include
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/
[Touch-packages] [Bug 1733700] Re: python tools do not understand 'non-magic' include rules
The was fixed upstream in 2.12.
** Changed in: apparmor
Status: In Progress => Fix Released
** Changed in: apparmor (Ubuntu Bionic)
Status: Triaged => In Progress
** Changed in: apparmor (Ubuntu Bionic)
Assignee: (unassigned) => Jamie Strandboge (jdstrand)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1733700
Title:
python tools do not understand 'non-magic' include rules
Status in AppArmor:
Fix Released
Status in apparmor package in Ubuntu:
In Progress
Status in apparmor source package in Trusty:
Triaged
Status in apparmor source package in Xenial:
Triaged
Status in apparmor source package in Zesty:
Triaged
Status in apparmor source package in Artful:
Triaged
Status in apparmor source package in Bionic:
In Progress
Bug description:
The apparmor parser supports 'include' and '#include' rules for
specifying absolute paths, but the python tools only understand
include rules for so called 'magic' '<>' file locations.
= test case #1 (aa-enforce) =
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
#include "/tmp/test1"
include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails
= test case #2 (aa-genprof) =
This assumes test case #1 was already performed and
/etc/apparmor.d/lp1733700 exists with the above includes.
$ cat /tmp/lp1733700
#!/bin/sh
set -e
sh -c "$@"
# run without confinement:
$ /tmp/lp1733700 'cat /etc/fstab' | head -1
# /etc/fstab: static file system information.
# invoke genprof
$ sudo aa-genprof /tmp/lp1733700
...
[(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently
fails
... don't exercise the application any so we just have the default profile ...
[(S)can system log for AppArmor events] / (F)inish - PRESS 'f'
...
Finished generating profile for /tmp/lp1733700.
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 15:53:07 2017
#include
/tmp/lp1733700 {
#include
#include
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
}
= test case #3 (aa-logprof) =
This assumes test case #1 was already performed and
/etc/apparmor.d/lp1733700 exists with the above includes.
This also assumes test case #2 was already performed and
/etc/apparmor.d/tmp.lp1733700 exists.
Disable kernel rate limiting:
$ sudo sysctl -w kernel.printk_ratelimit=0
Create mark entry in syslog:
$ logger mark-lp1733700
Try running logprof with no new denials:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
$
Adjust /etc/apparmor.d/tmp.lp1733700 to add:
#include "/tmp/test1"
include "/tmp/test2"
Load it into the kernel:
$ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700
Create a new denial:
$ /tmp/lp1733700 'uptime'
sh: 1: uptime: Permission denied
$
Try running logprof:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Profile: /tmp/lp1733700
Execute: /usr/bin/uptime
Severity: unknown
(I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish
...
The following local profiles were changed. Would you like to save them?
[1 - /tmp/lp1733700]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes
b/w (C)lean profiles / Abo(r)t
Writing updated profile for /tmp/lp1733700.
$
Verify the profile for 'uptime' addition and that the /tmp/test1 and
/tmp/test2 includes were not removed (it is ok that they are both
'#include'):
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 16:19:19 2017
#include
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include
#include
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
= test case #4 (aa-mergeprof) =
$ mkdir -p /tmp/aa-mergeprof/new
$ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions
$ touch /tmp/aa-mergeprof/new/tunables/global
/tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash
$ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old
$ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat
#include
/tmp/lp1733700 {
#include
#include
#include "/tmp/test1"
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
$ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime
#include
/tmp/lp1733700 {
#include
#include
#include "/tmp/
[Touch-packages] [Bug 1733700] Re: python tools do not understand 'non-magic' include rules
** Description changed:
The apparmor parser supports 'include' and '#include' rules for
specifying absolute paths, but the python tools only understand include
rules for so called 'magic' '<>' file locations.
- Reproducer:
-
+
+ = test case #1 (aa-enforce) =
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
- #include "/tmp/test1"
- include "/tmp/test2"
+ #include "/tmp/test1"
+ include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
- $ sudo aa-enforce /etc/apparmor.d/lp1733700
-
- ERROR: Syntax Error: Missing '}' or ','. Reached end of file
- /etc/apparmor.d/lp1733700 while inside profile lp1733700.
+ $ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails
+
+
+ = test case #2 (aa-genprof) =
+
+ This assumes test case #1 was already performed and
+ /etc/apparmor.d/lp1733700 exists with the above includes.
+
+ $ cat /tmp/lp1733700
+ #!/bin/sh
+ set -e
+ sh -c "$@"
+
+ # run without confinement:
+ $ /tmp/lp1733700 'cat /etc/fstab' | head -1
+ # /etc/fstab: static file system information.
+
+ # invoke genprof
+ $ sudo aa-genprof /tmp/lp1733700
+ ...
+ [(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently
fails
+ ... don't exercise the application any so we just have the default profile ...
+ [(S)can system log for AppArmor events] / (F)inish - PRESS 'f'
+ ...
+ Finished generating profile for /tmp/lp1733700.
+
+ $ sudo cat /etc/apparmor.d/tmp.lp1733700
+ # Last Modified: Wed Dec 20 15:53:07 2017
+ #include
+
+ /tmp/lp1733700 {
+ #include
+ #include
+
+ /bin/dash ix,
+ /lib/x86_64-linux-gnu/ld-*.so mr,
+ /tmp/lp1733700 r,
+
+ }
+
+
+ = test case #3 (aa-logprof) =
+
+ This assumes test case #1 was already performed and
+ /etc/apparmor.d/lp1733700 exists with the above includes.
+
+ This also assumes test case #2 was already performed and
+ /etc/apparmor.d/tmp.lp1733700 exists.
+
+ Disable kernel rate limiting:
+ $ sudo sysctl -w kernel.printk_ratelimit=0
+
+ Create mark entry in syslog:
+ $ logger mark-lp1733700
+
+ Try running logprof with no new denials:
+
+ $ sudo aa-logprof -m mark-lp1733700 # currently fails
+ Reading log entries from /var/log/syslog.
+ Updating AppArmor profiles in /etc/apparmor.d.
+ $
+
+ Adjust /etc/apparmor.d/tmp.lp1733700 to add:
+
+ #include "/tmp/test1"
+ include "/tmp/test2"
+
+ Load it into the kernel:
+ $ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700
+
+ Create a new denial:
+ $ /tmp/lp1733700 'uptime'
+ sh: 1: uptime: Permission denied
+ $
+
+ Try running logprof:
+
+ $ sudo aa-logprof -m mark-lp1733700 # currently fails
+ Reading log entries from /var/log/syslog.
+ Updating AppArmor profiles in /etc/apparmor.d.
+
+ Profile: /tmp/lp1733700
+ Execute: /usr/bin/uptime
+ Severity: unknown
+
+ (I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish
+ ...
+ The following local profiles were changed. Would you like to save them?
+
+ [1 - /tmp/lp1733700]
+ (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes
b/w (C)lean profiles / Abo(r)t
+
+
+ Writing updated profile for /tmp/lp1733700.
+ $
+
+ Verify the profile for 'uptime' addition and that the /tmp/test1 and
+ /tmp/test2 includes were not removed (it is ok that they are both
+ '#include'):
+
+ $ sudo cat /etc/apparmor.d/tmp.lp1733700
+ # Last Modified: Wed Dec 20 16:19:19 2017
+ #include
+
+ /tmp/lp1733700 {
+ #include "/tmp/test1"
+ #include "/tmp/test2"
+ #include
+ #include
+
+ /bin/dash ix,
+ /lib/x86_64-linux-gnu/ld-*.so mr,
+ /tmp/lp1733700 r,
+ /usr/bin/uptime mrix,
+
+ }
+
+
+ = test case #4 (aa-mergeprof) =
+
+ $ mkdir -p /tmp/aa-mergeprof/new
+ $ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions
+ $ touch /tmp/aa-mergeprof/new/tunables/global
/tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash
+ $ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old
+
+ $ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat
+ #include
+
+ /tmp/lp1733700 {
+ #include
+ #include
+ #include "/tmp/test1"
+
+ /bin/dash ix,
+ /lib/x86_64-linux-gnu/ld-*.so mr,
+ /tmp/lp1733700 r,
+ /usr/bin/uptime mrix,
+
+ }
+
+ $ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime
+ #include
+
+ /tmp/lp1733700 {
+ #include
+ #include
+ #include "/tmp/test2"
+
+ /bin/dash ix,
+ /lib/x86_64-linux-gnu/ld-*.so mr,
+ /tmp/lp1733700 r,
+ /bin/cat ixr,
+
+ }
+
+ $ sudo aa-mergeprof -d /tmp/aa-mergeprof/new
/tmp/aa-mergeprof/old/tmp.lp1733700
+ ...
+ [1 - #include "/tmp/test1"]
+ [(A)llow] / (I)gnore / Abo(r)t / (F)inish
+
+ ...
+ [1 - /usr/bin/uptime mrix,]
+ (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew /
Audi(t) / Abo(r)t / (F)inish
+
+ ...
+ The following local profiles were changed. Would you like to save them?
+
+ [1 - /tmp/lp1733700]
+ (S)ave Changes / [(V)iew
[Touch-packages] [Bug 1733700] Re: python tools do not understand 'non-magic' include rules
** Description changed:
- The apparmor_parser now supports 'include' rules in addition to
- '#include', but the python tools only understand '#include'. This
- manifested itself in Ubuntu in bug #1734038 (see
- https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15
- of that bug for details).
+ The apparmor parser supports 'include' and '#include' rules for
+ specifying absolute paths, but the python tools only understand include
+ rules for so called 'magic' '<>' file locations.
+
+ Reproducer:
+
+ $ mkdir /tmp/test1 /tmp/test2
+
+ $ cat /etc/apparmor.d/lp1733700
+ profile lp1733700 {
+ #include "/tmp/test1"
+ include "/tmp/test2"
+ }
+
+ $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
+
+ $ sudo aa-enforce /etc/apparmor.d/lp1733700
+
+ ERROR: Syntax Error: Missing '}' or ','. Reached end of file
+ /etc/apparmor.d/lp1733700 while inside profile lp1733700Note that the pr
+
+ Note that the original description said that changing the rule from
+ 'include' to '#include' fixed the issue when in reality it only allowed
+ the rule to parse as a comment instead of erroring.
+
+ = Original description =
+ The apparmor_parser now supports 'include' rules in addition to '#include',
but the python tools only understand '#include'. This manifested itself in
Ubuntu in bug #1734038 (see
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of
that bug for details).
Reproducer:
$ mkdir /tmp/test
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
- include "/tmp/test"
+ include "/tmp/test"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file
/etc/apparmor.d/lp1733700 while inside profile lp1733700
Changing the 'include' to '#include' results in:
- $ sudo aa-enforce /etc/apparmor.d/lp1733700
+ $ sudo aa-enforce /etc/apparmor.d/lp1733700
Setting /etc/apparmor.d/lp1733700 to enforce mode.
At least aa-logprof is also affected.
= Original report =
On Ubuntu artful, I'm seeing the following behavior:
- $ aa-enforce usr.bin.chromium-browser
-
- ERROR: Syntax Error: Unknown line found in file
/etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
- include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,
+ $ aa-enforce usr.bin.chromium-browser
+
+ ERROR: Syntax Error: Unknown line found in file
/etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
+ include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,
I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
This is snapd 2.28.5+17.10.
** Description changed:
The apparmor parser supports 'include' and '#include' rules for
specifying absolute paths, but the python tools only understand include
rules for so called 'magic' '<>' file locations.
Reproducer:
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
- #include "/tmp/test1"
- include "/tmp/test2"
+ #include "/tmp/test1"
+ include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file
- /etc/apparmor.d/lp1733700 while inside profile lp1733700Note that the pr
+ /etc/apparmor.d/lp1733700 while inside profile lp1733700.
Note that the original description said that changing the rule from
'include' to '#include' fixed the issue when in reality it only allowed
the rule to parse as a comment instead of erroring.
= Original description =
The apparmor_parser now supports 'include' rules in addition to '#include',
but the python tools only understand '#include'. This manifested itself in
Ubuntu in bug #1734038 (see
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of
that bug for details).
Reproducer:
$ mkdir /tmp/test
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
include "/tmp/test"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file
/etc/apparmor.d/lp1733700 while inside profile lp1733700
Changing the 'include' to '#include' results in:
$ sudo aa-enforce /etc/apparmor.d/lp1733700
Setting /etc/apparmor.d/lp1733700 to enforce mode.
At least aa-logprof is also affected.
= Original report =
On Ubuntu artful, I'm seeing the following behavior:
$ aa-enforce usr.bin.chromium-browser
ERROR: Syntax Error: Unknown line found in file
/etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,
I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
This is
[Touch-packages] [Bug 1733700] Re: python tools do not understand 'non-magic' include rules
** Summary changed:
- apparmor python tools do not understand 'include' rules
+ python tools do not understand 'non-magic' include rules
** Changed in: apparmor (Ubuntu Trusty)
Status: New => Triaged
** Changed in: apparmor (Ubuntu Xenial)
Status: New => Triaged
** Changed in: apparmor (Ubuntu Zesty)
Status: New => Triaged
** Changed in: apparmor (Ubuntu Artful)
Status: New => Triaged
** Changed in: apparmor (Ubuntu Bionic)
Status: New => Triaged
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1733700
Title:
python tools do not understand 'non-magic' include rules
Status in AppArmor:
In Progress
Status in apparmor package in Ubuntu:
Triaged
Status in apparmor source package in Trusty:
Triaged
Status in apparmor source package in Xenial:
Triaged
Status in apparmor source package in Zesty:
Triaged
Status in apparmor source package in Artful:
Triaged
Status in apparmor source package in Bionic:
Triaged
Bug description:
The apparmor_parser now supports 'include' rules in addition to
'#include', but the python tools only understand '#include'. This
manifested itself in Ubuntu in bug #1734038 (see
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15
of that bug for details).
Reproducer:
$ mkdir /tmp/test
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
include "/tmp/test"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file
/etc/apparmor.d/lp1733700 while inside profile lp1733700
Changing the 'include' to '#include' results in:
$ sudo aa-enforce /etc/apparmor.d/lp1733700
Setting /etc/apparmor.d/lp1733700 to enforce mode.
At least aa-logprof is also affected.
= Original report =
On Ubuntu artful, I'm seeing the following behavior:
$ aa-enforce usr.bin.chromium-browser
ERROR: Syntax Error: Unknown line found in file
/etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,
I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
This is snapd 2.28.5+17.10.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1733700/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
