[Touch-packages] [Bug 1733700] Re: python tools do not understand 'non-magic' include rules
This bug was fixed in the package apparmor - 2.12-4ubuntu1 --- apparmor (2.12-4ubuntu1) bionic; urgency=medium [ Tyler Hicks ] * Merge from Debian to get gbp-pq related packaging improvements. Thanks to intrigeri for making those improvements! Remaining Ubuntu changes: - debian/gbp.conf: Use ubuntu/master as the debian-branch - Update package maintainer to be Ubuntu Developers in the control file - Call handle_system_policy_package_updates in apparmor.init. This is needed for snappy and system-images. Note that this prevents using a remove /var. - Apply Ubuntu-specific patches + parser-include-usr-share-apparmor.patch + profiles-grant-access-to-systemd-resolved.patch + add-chromium-browser.patch - Install Ubuntu chromium-browser profile and abstraction - Feature pinning is not used in Ubuntu [ intrigeri ] * Adjust the Vcs-{Browser,Git} control fields to reflect the branch where the Ubuntu packaging is maintained. apparmor (2.12-4) unstable; urgency=medium * Migrate patch handling to gbp-pq (Closes: #888244). * Merge 2.12-3ubuntu1 (dropping the Ubuntu delta): - upstream-commit-46f88f5-properly-identify-empty-ouid-fsuid-fields.patch: new patch, properly identify empty ouid/fsuid fields in logs. - upstream-commit-130958a-allow-shell-helper-read-locale.patch: new patch, allow the shell helper regression test program read the locale. -- Tyler Hicks Mon, 19 Mar 2018 16:24:57 + ** Changed in: apparmor (Ubuntu Bionic) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1733700 Title: python tools do not understand 'non-magic' include rules Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in apparmor source package in Trusty: Won't Fix Status in apparmor source package in Xenial: Won't Fix Status in apparmor source package in Zesty: Won't Fix Status in apparmor source package in Artful: Won't Fix Status in apparmor source package in Bionic: Fix Released Bug description: The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations. = test case #0 (testsuite) = $ sudo apt-get install apparmor apparmor-utils # from proposed $ sudo apt-get build-dep apparmor $ sudo apt-get install quilt realpath pyflakes pyflakes3 # pyflakes3 on xenial and higher $ apt-get source apparmor # from proposed $ cd apparmor-* $ quilt push -a $ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python) $ export PYTHON=/usr/bin/python3 $ export PYTHON_VERSION=3 $ export PYTHON_VERSIONS=python3 $ cd libraries/libapparmor $ sh ./autogen.sh $ sh ./configure --prefix=/usr --with-perl --with-python $ make $ cd ../../binutils $ make $ ../parser $ make $ cd ../utils $ make $ make check = test case #1 (aa-enforce) = This assumes test case #0 has been performed. $ mkdir /tmp/test1 /tmp/test2 $ cat /etc/apparmor.d/lp1733700 profile lp1733700 { #include "/tmp/test1" include "/tmp/test2" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails = test case #2 (aa-genprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. $ cat /tmp/lp1733700 #!/bin/sh set -e sh -c "$@" $ chmod 755 /tmp/lp1733700 # run without confinement: $ /tmp/lp1733700 'cat /etc/fstab' | head -1 # /etc/fstab: static file system information. # invoke genprof $ sudo aa-genprof /tmp/lp1733700 ... [(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails ... don't exercise the application any so we just have the default profile ... [(S)can system log for AppArmor events] / (F)inish - PRESS 'f' ... Finished generating profile for /tmp/lp1733700. $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 15:53:07 2017 #include /tmp/lp1733700 { #include #include /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, } = test case #3 (aa-logprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. This also assumes test case #2 was already performed and /etc/apparmor.d/tmp.lp1733700 exists. Disable kernel rate limiting: $ sudo sysctl -w kernel.printk_ratelimit=0 Create mark entry in syslog: $ logger mark-lp1733700 Try running logprof with no new denials: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. $ Adj
[Touch-packages] [Bug 1733700] Re: python tools do not understand 'non-magic' include rules
Due to the builder being down for meltdown/spectre, the patches for this were delayed. However, the 3rd core snap without the issue (2.29.4.2, 2.30 and the upcoming 2.31.1) that caused this problem is about to be released meaning the affected core snap revision is about to be reaped which will resolve this bug for those users. As a result, marking all stable releases of Ubuntu as Won't Fix. Bionic will be fixed with the upcoming 2.12 merge from Debian. ** Changed in: apparmor (Ubuntu Zesty) Status: Triaged => Won't Fix ** Changed in: apparmor (Ubuntu Trusty) Status: In Progress => Won't Fix ** Changed in: apparmor (Ubuntu Xenial) Status: In Progress => Won't Fix ** Changed in: apparmor (Ubuntu Artful) Status: In Progress => Won't Fix ** Changed in: apparmor (Ubuntu Bionic) Status: In Progress => Triaged ** Changed in: apparmor (Ubuntu Bionic) Assignee: Jamie Strandboge (jdstrand) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1733700 Title: python tools do not understand 'non-magic' include rules Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: Triaged Status in apparmor source package in Trusty: Won't Fix Status in apparmor source package in Xenial: Won't Fix Status in apparmor source package in Zesty: Won't Fix Status in apparmor source package in Artful: Won't Fix Status in apparmor source package in Bionic: Triaged Bug description: The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations. = test case #0 (testsuite) = $ sudo apt-get install apparmor apparmor-utils # from proposed $ sudo apt-get build-dep apparmor $ sudo apt-get install quilt realpath pyflakes pyflakes3 # pyflakes3 on xenial and higher $ apt-get source apparmor # from proposed $ cd apparmor-* $ quilt push -a $ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python) $ export PYTHON=/usr/bin/python3 $ export PYTHON_VERSION=3 $ export PYTHON_VERSIONS=python3 $ cd libraries/libapparmor $ sh ./autogen.sh $ sh ./configure --prefix=/usr --with-perl --with-python $ make $ cd ../../binutils $ make $ ../parser $ make $ cd ../utils $ make $ make check = test case #1 (aa-enforce) = This assumes test case #0 has been performed. $ mkdir /tmp/test1 /tmp/test2 $ cat /etc/apparmor.d/lp1733700 profile lp1733700 { #include "/tmp/test1" include "/tmp/test2" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails = test case #2 (aa-genprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. $ cat /tmp/lp1733700 #!/bin/sh set -e sh -c "$@" $ chmod 755 /tmp/lp1733700 # run without confinement: $ /tmp/lp1733700 'cat /etc/fstab' | head -1 # /etc/fstab: static file system information. # invoke genprof $ sudo aa-genprof /tmp/lp1733700 ... [(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails ... don't exercise the application any so we just have the default profile ... [(S)can system log for AppArmor events] / (F)inish - PRESS 'f' ... Finished generating profile for /tmp/lp1733700. $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 15:53:07 2017 #include /tmp/lp1733700 { #include #include /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, } = test case #3 (aa-logprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. This also assumes test case #2 was already performed and /etc/apparmor.d/tmp.lp1733700 exists. Disable kernel rate limiting: $ sudo sysctl -w kernel.printk_ratelimit=0 Create mark entry in syslog: $ logger mark-lp1733700 Try running logprof with no new denials: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. $ Adjust /etc/apparmor.d/tmp.lp1733700 to add: #include "/tmp/test1" include "/tmp/test2" Load it into the kernel: $ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700 Create a new denial: $ /tmp/lp1733700 'uptime' sh: 1: uptime: Permission denied $ Try running logprof: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. Profile: /tmp/lp1733700 Execute: /usr/bin/uptime Severity: unknown (I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish ... The following local profiles were changed. Would y
[Touch-packages] [Bug 1733700] Re: python tools do not understand 'non-magic' include rules
** Changed in: apparmor (Ubuntu Artful) Status: Triaged => In Progress ** Changed in: apparmor (Ubuntu Xenial) Status: Triaged => In Progress ** Changed in: apparmor (Ubuntu Trusty) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1733700 Title: python tools do not understand 'non-magic' include rules Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: In Progress Status in apparmor source package in Trusty: In Progress Status in apparmor source package in Xenial: In Progress Status in apparmor source package in Zesty: Triaged Status in apparmor source package in Artful: In Progress Status in apparmor source package in Bionic: In Progress Bug description: The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations. = test case #0 (testsuite) = $ sudo apt-get install apparmor apparmor-utils # from proposed $ sudo apt-get build-dep apparmor $ sudo apt-get install quilt realpath pyflakes pyflakes3 # pyflakes3 on xenial and higher $ apt-get source apparmor # from proposed $ cd apparmor-* $ quilt push -a $ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python) $ export PYTHON=/usr/bin/python3 $ export PYTHON_VERSION=3 $ export PYTHON_VERSIONS=python3 $ cd libraries/libapparmor $ sh ./autogen.sh $ sh ./configure --prefix=/usr --with-perl --with-python $ make $ cd ../../binutils $ make $ ../parser $ make $ cd ../utils $ make $ make check = test case #1 (aa-enforce) = This assumes test case #0 has been performed. $ mkdir /tmp/test1 /tmp/test2 $ cat /etc/apparmor.d/lp1733700 profile lp1733700 { #include "/tmp/test1" include "/tmp/test2" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails = test case #2 (aa-genprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. $ cat /tmp/lp1733700 #!/bin/sh set -e sh -c "$@" $ chmod 755 /tmp/lp1733700 # run without confinement: $ /tmp/lp1733700 'cat /etc/fstab' | head -1 # /etc/fstab: static file system information. # invoke genprof $ sudo aa-genprof /tmp/lp1733700 ... [(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails ... don't exercise the application any so we just have the default profile ... [(S)can system log for AppArmor events] / (F)inish - PRESS 'f' ... Finished generating profile for /tmp/lp1733700. $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 15:53:07 2017 #include /tmp/lp1733700 { #include #include /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, } = test case #3 (aa-logprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. This also assumes test case #2 was already performed and /etc/apparmor.d/tmp.lp1733700 exists. Disable kernel rate limiting: $ sudo sysctl -w kernel.printk_ratelimit=0 Create mark entry in syslog: $ logger mark-lp1733700 Try running logprof with no new denials: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. $ Adjust /etc/apparmor.d/tmp.lp1733700 to add: #include "/tmp/test1" include "/tmp/test2" Load it into the kernel: $ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700 Create a new denial: $ /tmp/lp1733700 'uptime' sh: 1: uptime: Permission denied $ Try running logprof: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. Profile: /tmp/lp1733700 Execute: /usr/bin/uptime Severity: unknown (I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish ... The following local profiles were changed. Would you like to save them? [1 - /tmp/lp1733700] (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t Writing updated profile for /tmp/lp1733700. $ Verify the profile for 'uptime' addition and that the /tmp/test1 and /tmp/test2 includes were not removed (it is ok that they are both '#include'): $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 16:19:19 2017 #include /tmp/lp1733700 { #include "/tmp/test1" #include "/tmp/test2" #include #include /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } = test case #4 (aa-mergepro
[Touch-packages] [Bug 1733700] Re: python tools do not understand 'non-magic' include rules
** Description changed: The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations. = test case #0 (testsuite) = $ sudo apt-get install apparmor apparmor-utils # from proposed $ sudo apt-get build-dep apparmor - $ sudo apt-get install quilt pyflakes pyflakes3 # pyflakes3 on xenial and higher + $ sudo apt-get install quilt realpath pyflakes pyflakes3 # pyflakes3 on xenial and higher $ apt-get source apparmor # from proposed $ cd apparmor-* $ quilt push -a $ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python) $ export PYTHON=/usr/bin/python3 $ export PYTHON_VERSION=3 $ export PYTHON_VERSIONS=python3 $ cd libraries/libapparmor $ sh ./autogen.sh $ sh ./configure --prefix=/usr --with-perl --with-python $ make $ cd ../../binutils $ make $ ../parser $ make $ cd ../utils $ make $ make check = test case #1 (aa-enforce) = This assumes test case #0 has been performed. $ mkdir /tmp/test1 /tmp/test2 $ cat /etc/apparmor.d/lp1733700 profile lp1733700 { - #include "/tmp/test1" - include "/tmp/test2" + #include "/tmp/test1" + include "/tmp/test2" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails - = test case #2 (aa-genprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. $ cat /tmp/lp1733700 #!/bin/sh set -e sh -c "$@" $ chmod 755 /tmp/lp1733700 # run without confinement: $ /tmp/lp1733700 'cat /etc/fstab' | head -1 # /etc/fstab: static file system information. # invoke genprof $ sudo aa-genprof /tmp/lp1733700 ... [(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails ... don't exercise the application any so we just have the default profile ... [(S)can system log for AppArmor events] / (F)inish - PRESS 'f' ... Finished generating profile for /tmp/lp1733700. $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 15:53:07 2017 #include /tmp/lp1733700 { - #include - #include - - /bin/dash ix, - /lib/x86_64-linux-gnu/ld-*.so mr, - /tmp/lp1733700 r, - - } - + #include + #include + + /bin/dash ix, + /lib/x86_64-linux-gnu/ld-*.so mr, + /tmp/lp1733700 r, + + } = test case #3 (aa-logprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. This also assumes test case #2 was already performed and /etc/apparmor.d/tmp.lp1733700 exists. Disable kernel rate limiting: $ sudo sysctl -w kernel.printk_ratelimit=0 Create mark entry in syslog: $ logger mark-lp1733700 Try running logprof with no new denials: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. $ Adjust /etc/apparmor.d/tmp.lp1733700 to add: - #include "/tmp/test1" - include "/tmp/test2" + #include "/tmp/test1" + include "/tmp/test2" Load it into the kernel: $ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700 Create a new denial: $ /tmp/lp1733700 'uptime' sh: 1: uptime: Permission denied $ Try running logprof: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. Profile: /tmp/lp1733700 Execute: /usr/bin/uptime Severity: unknown (I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish ... The following local profiles were changed. Would you like to save them? - [1 - /tmp/lp1733700] + [1 - /tmp/lp1733700] (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t Writing updated profile for /tmp/lp1733700. $ Verify the profile for 'uptime' addition and that the /tmp/test1 and /tmp/test2 includes were not removed (it is ok that they are both '#include'): $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 16:19:19 2017 #include /tmp/lp1733700 { - #include "/tmp/test1" - #include "/tmp/test2" - #include - #include - - /bin/dash ix, - /lib/x86_64-linux-gnu/ld-*.so mr, - /tmp/lp1733700 r, - /usr/bin/uptime mrix, - - } - + #include "/tmp/test1" + #include "/tmp/test2" + #include + #include + + /bin/dash ix, + /lib/x86_64-linux-gnu/ld-*.so mr, + /tmp/lp1733700 r, + /usr/bin/uptime mrix, + + } = test case #4 (aa-mergeprof) = $ mkdir -p /tmp/aa-mergeprof/new $ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions $ touch /tmp/aa-mergeprof/new/tunables/global /tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash
[Touch-packages] [Bug 1733700] Re: python tools do not understand 'non-magic' include rules
** Description changed: The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations. = test case #0 (testsuite) = - $ sudo apt-get install apparmor apparmor-utils # not required with 2.12 + $ sudo apt-get install apparmor apparmor-utils # from proposed $ sudo apt-get build-dep apparmor - $ sudo apt-get install quilt pyflakes pyflakes3 - $ apt-get source apparmor + $ sudo apt-get install quilt pyflakes pyflakes3 # pyflakes3 on xenial and higher + $ apt-get source apparmor # from proposed $ cd apparmor-* $ quilt push -a $ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python) $ export PYTHON=/usr/bin/python3 $ export PYTHON_VERSION=3 $ export PYTHON_VERSIONS=python3 $ cd libraries/libapparmor $ sh ./autogen.sh $ sh ./configure --prefix=/usr --with-perl --with-python $ make $ cd ../../binutils $ make $ ../parser $ make $ cd ../utils $ make $ make check = test case #1 (aa-enforce) = + + This assumes test case #0 has been performed. + $ mkdir /tmp/test1 /tmp/test2 $ cat /etc/apparmor.d/lp1733700 profile lp1733700 { #include "/tmp/test1" include "/tmp/test2" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails = test case #2 (aa-genprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. $ cat /tmp/lp1733700 #!/bin/sh set -e sh -c "$@" $ chmod 755 /tmp/lp1733700 # run without confinement: $ /tmp/lp1733700 'cat /etc/fstab' | head -1 # /etc/fstab: static file system information. # invoke genprof $ sudo aa-genprof /tmp/lp1733700 ... [(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails ... don't exercise the application any so we just have the default profile ... [(S)can system log for AppArmor events] / (F)inish - PRESS 'f' ... Finished generating profile for /tmp/lp1733700. $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 15:53:07 2017 #include /tmp/lp1733700 { #include #include /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, } = test case #3 (aa-logprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. This also assumes test case #2 was already performed and /etc/apparmor.d/tmp.lp1733700 exists. Disable kernel rate limiting: $ sudo sysctl -w kernel.printk_ratelimit=0 Create mark entry in syslog: $ logger mark-lp1733700 Try running logprof with no new denials: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. $ Adjust /etc/apparmor.d/tmp.lp1733700 to add: #include "/tmp/test1" include "/tmp/test2" Load it into the kernel: $ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700 Create a new denial: $ /tmp/lp1733700 'uptime' sh: 1: uptime: Permission denied $ Try running logprof: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. Profile: /tmp/lp1733700 Execute: /usr/bin/uptime Severity: unknown (I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish ... The following local profiles were changed. Would you like to save them? [1 - /tmp/lp1733700] (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t Writing updated profile for /tmp/lp1733700. $ Verify the profile for 'uptime' addition and that the /tmp/test1 and /tmp/test2 includes were not removed (it is ok that they are both '#include'): $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 16:19:19 2017 #include /tmp/lp1733700 { #include "/tmp/test1" #include "/tmp/test2" #include #include /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } = test case #4 (aa-mergeprof) = $ mkdir -p /tmp/aa-mergeprof/new $ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions $ touch /tmp/aa-mergeprof/new/tunables/global /tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash $ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old $ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat #include /tmp/lp1733700 { #include #include #include "/tmp/test1" /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } $ cat /tmp/aa-mergeprof/new/tmp.lp1733700 #
[Touch-packages] [Bug 1733700] Re: python tools do not understand 'non-magic' include rules
** Description changed: The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations. + = test case #0 (testsuite) = + $ sudo apt-get install apparmor apparmor-utils # not required with 2.12 + $ sudo apt-get build-dep apparmor + $ sudo apt-get install quilt pyflakes pyflakes3 + $ apt-get source apparmor + $ cd apparmor-* + $ quilt push -a + $ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python) + $ export PYTHON=/usr/bin/python3 + $ export PYTHON_VERSION=3 + $ export PYTHON_VERSIONS=python3 + $ cd libraries/libapparmor + $ sh ./autogen.sh + $ sh ./configure --prefix=/usr --with-perl --with-python + $ make + $ cd ../../binutils + $ make + $ ../parser + $ make + $ cd ../utils + $ make + $ make check = test case #1 (aa-enforce) = $ mkdir /tmp/test1 /tmp/test2 $ cat /etc/apparmor.d/lp1733700 profile lp1733700 { #include "/tmp/test1" include "/tmp/test2" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails = test case #2 (aa-genprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. $ cat /tmp/lp1733700 #!/bin/sh set -e sh -c "$@" # run without confinement: $ /tmp/lp1733700 'cat /etc/fstab' | head -1 # /etc/fstab: static file system information. # invoke genprof $ sudo aa-genprof /tmp/lp1733700 ... [(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails ... don't exercise the application any so we just have the default profile ... [(S)can system log for AppArmor events] / (F)inish - PRESS 'f' ... Finished generating profile for /tmp/lp1733700. $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 15:53:07 2017 #include /tmp/lp1733700 { #include #include /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, } = test case #3 (aa-logprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. This also assumes test case #2 was already performed and /etc/apparmor.d/tmp.lp1733700 exists. Disable kernel rate limiting: $ sudo sysctl -w kernel.printk_ratelimit=0 Create mark entry in syslog: $ logger mark-lp1733700 Try running logprof with no new denials: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. $ Adjust /etc/apparmor.d/tmp.lp1733700 to add: #include "/tmp/test1" include "/tmp/test2" Load it into the kernel: $ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700 Create a new denial: $ /tmp/lp1733700 'uptime' sh: 1: uptime: Permission denied $ Try running logprof: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. Profile: /tmp/lp1733700 Execute: /usr/bin/uptime Severity: unknown (I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish ... The following local profiles were changed. Would you like to save them? [1 - /tmp/lp1733700] (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t Writing updated profile for /tmp/lp1733700. $ Verify the profile for 'uptime' addition and that the /tmp/test1 and /tmp/test2 includes were not removed (it is ok that they are both '#include'): $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 16:19:19 2017 #include /tmp/lp1733700 { #include "/tmp/test1" #include "/tmp/test2" #include #include /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } = test case #4 (aa-mergeprof) = $ mkdir -p /tmp/aa-mergeprof/new $ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions $ touch /tmp/aa-mergeprof/new/tunables/global /tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash $ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old $ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat #include /tmp/lp1733700 { #include #include #include "/tmp/test1" /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } $ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime #include /tmp/lp1733700 { #include #include #include "/tmp/test2" /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /bin/cat ixr, } $ sudo aa-mergeprof -d /tmp/aa-mergeprof/new /tmp/a
[Touch-packages] [Bug 1733700] Re: python tools do not understand 'non-magic' include rules
** Changed in: apparmor (Ubuntu Trusty) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: apparmor (Ubuntu Xenial) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: apparmor (Ubuntu Zesty) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: apparmor (Ubuntu Artful) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1733700 Title: python tools do not understand 'non-magic' include rules Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: In Progress Status in apparmor source package in Trusty: Triaged Status in apparmor source package in Xenial: Triaged Status in apparmor source package in Zesty: Triaged Status in apparmor source package in Artful: Triaged Status in apparmor source package in Bionic: In Progress Bug description: The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations. = test case #0 (testsuite) = $ sudo apt-get install apparmor apparmor-utils # not required with 2.12 $ sudo apt-get build-dep apparmor $ sudo apt-get install quilt pyflakes pyflakes3 $ apt-get source apparmor $ cd apparmor-* $ quilt push -a $ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python) $ export PYTHON=/usr/bin/python3 $ export PYTHON_VERSION=3 $ export PYTHON_VERSIONS=python3 $ cd libraries/libapparmor $ sh ./autogen.sh $ sh ./configure --prefix=/usr --with-perl --with-python $ make $ cd ../../binutils $ make $ ../parser $ make $ cd ../utils $ make $ make check = test case #1 (aa-enforce) = $ mkdir /tmp/test1 /tmp/test2 $ cat /etc/apparmor.d/lp1733700 profile lp1733700 { #include "/tmp/test1" include "/tmp/test2" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails = test case #2 (aa-genprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. $ cat /tmp/lp1733700 #!/bin/sh set -e sh -c "$@" $ chmod 755 /tmp/lp1733700 # run without confinement: $ /tmp/lp1733700 'cat /etc/fstab' | head -1 # /etc/fstab: static file system information. # invoke genprof $ sudo aa-genprof /tmp/lp1733700 ... [(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails ... don't exercise the application any so we just have the default profile ... [(S)can system log for AppArmor events] / (F)inish - PRESS 'f' ... Finished generating profile for /tmp/lp1733700. $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 15:53:07 2017 #include /tmp/lp1733700 { #include #include /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, } = test case #3 (aa-logprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. This also assumes test case #2 was already performed and /etc/apparmor.d/tmp.lp1733700 exists. Disable kernel rate limiting: $ sudo sysctl -w kernel.printk_ratelimit=0 Create mark entry in syslog: $ logger mark-lp1733700 Try running logprof with no new denials: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. $ Adjust /etc/apparmor.d/tmp.lp1733700 to add: #include "/tmp/test1" include "/tmp/test2" Load it into the kernel: $ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700 Create a new denial: $ /tmp/lp1733700 'uptime' sh: 1: uptime: Permission denied $ Try running logprof: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. Profile: /tmp/lp1733700 Execute: /usr/bin/uptime Severity: unknown (I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish ... The following local profiles were changed. Would you like to save them? [1 - /tmp/lp1733700] (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t Writing updated profile for /tmp/lp1733700. $ Verify the profile for 'uptime' addition and that the /tmp/test1 and /tmp/test2 includes were not removed (it is ok that they are both '#include'): $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 16:19:19 2017 #include /tmp/lp1733700 { #include "/tmp/test1" #include "/tmp/test2" #include #include /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /
[Touch-packages] [Bug 1733700] Re: python tools do not understand 'non-magic' include rules
The was fixed upstream in 2.12. ** Changed in: apparmor Status: In Progress => Fix Released ** Changed in: apparmor (Ubuntu Bionic) Status: Triaged => In Progress ** Changed in: apparmor (Ubuntu Bionic) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1733700 Title: python tools do not understand 'non-magic' include rules Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: In Progress Status in apparmor source package in Trusty: Triaged Status in apparmor source package in Xenial: Triaged Status in apparmor source package in Zesty: Triaged Status in apparmor source package in Artful: Triaged Status in apparmor source package in Bionic: In Progress Bug description: The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations. = test case #1 (aa-enforce) = $ mkdir /tmp/test1 /tmp/test2 $ cat /etc/apparmor.d/lp1733700 profile lp1733700 { #include "/tmp/test1" include "/tmp/test2" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails = test case #2 (aa-genprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. $ cat /tmp/lp1733700 #!/bin/sh set -e sh -c "$@" # run without confinement: $ /tmp/lp1733700 'cat /etc/fstab' | head -1 # /etc/fstab: static file system information. # invoke genprof $ sudo aa-genprof /tmp/lp1733700 ... [(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails ... don't exercise the application any so we just have the default profile ... [(S)can system log for AppArmor events] / (F)inish - PRESS 'f' ... Finished generating profile for /tmp/lp1733700. $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 15:53:07 2017 #include /tmp/lp1733700 { #include #include /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, } = test case #3 (aa-logprof) = This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes. This also assumes test case #2 was already performed and /etc/apparmor.d/tmp.lp1733700 exists. Disable kernel rate limiting: $ sudo sysctl -w kernel.printk_ratelimit=0 Create mark entry in syslog: $ logger mark-lp1733700 Try running logprof with no new denials: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. $ Adjust /etc/apparmor.d/tmp.lp1733700 to add: #include "/tmp/test1" include "/tmp/test2" Load it into the kernel: $ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700 Create a new denial: $ /tmp/lp1733700 'uptime' sh: 1: uptime: Permission denied $ Try running logprof: $ sudo aa-logprof -m mark-lp1733700 # currently fails Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. Profile: /tmp/lp1733700 Execute: /usr/bin/uptime Severity: unknown (I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish ... The following local profiles were changed. Would you like to save them? [1 - /tmp/lp1733700] (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t Writing updated profile for /tmp/lp1733700. $ Verify the profile for 'uptime' addition and that the /tmp/test1 and /tmp/test2 includes were not removed (it is ok that they are both '#include'): $ sudo cat /etc/apparmor.d/tmp.lp1733700 # Last Modified: Wed Dec 20 16:19:19 2017 #include /tmp/lp1733700 { #include "/tmp/test1" #include "/tmp/test2" #include #include /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } = test case #4 (aa-mergeprof) = $ mkdir -p /tmp/aa-mergeprof/new $ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions $ touch /tmp/aa-mergeprof/new/tunables/global /tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash $ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old $ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat #include /tmp/lp1733700 { #include #include #include "/tmp/test1" /bin/dash ix, /lib/x86_64-linux-gnu/ld-*.so mr, /tmp/lp1733700 r, /usr/bin/uptime mrix, } $ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime #include /tmp/lp1733700 { #include #include #include "/tmp/
[Touch-packages] [Bug 1733700] Re: python tools do not understand 'non-magic' include rules
** Description changed: The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations. - Reproducer: - + + = test case #1 (aa-enforce) = $ mkdir /tmp/test1 /tmp/test2 $ cat /etc/apparmor.d/lp1733700 profile lp1733700 { - #include "/tmp/test1" - include "/tmp/test2" + #include "/tmp/test1" + include "/tmp/test2" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok - $ sudo aa-enforce /etc/apparmor.d/lp1733700 - - ERROR: Syntax Error: Missing '}' or ','. Reached end of file - /etc/apparmor.d/lp1733700 while inside profile lp1733700. + $ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails + + + = test case #2 (aa-genprof) = + + This assumes test case #1 was already performed and + /etc/apparmor.d/lp1733700 exists with the above includes. + + $ cat /tmp/lp1733700 + #!/bin/sh + set -e + sh -c "$@" + + # run without confinement: + $ /tmp/lp1733700 'cat /etc/fstab' | head -1 + # /etc/fstab: static file system information. + + # invoke genprof + $ sudo aa-genprof /tmp/lp1733700 + ... + [(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails + ... don't exercise the application any so we just have the default profile ... + [(S)can system log for AppArmor events] / (F)inish - PRESS 'f' + ... + Finished generating profile for /tmp/lp1733700. + + $ sudo cat /etc/apparmor.d/tmp.lp1733700 + # Last Modified: Wed Dec 20 15:53:07 2017 + #include + + /tmp/lp1733700 { + #include + #include + + /bin/dash ix, + /lib/x86_64-linux-gnu/ld-*.so mr, + /tmp/lp1733700 r, + + } + + + = test case #3 (aa-logprof) = + + This assumes test case #1 was already performed and + /etc/apparmor.d/lp1733700 exists with the above includes. + + This also assumes test case #2 was already performed and + /etc/apparmor.d/tmp.lp1733700 exists. + + Disable kernel rate limiting: + $ sudo sysctl -w kernel.printk_ratelimit=0 + + Create mark entry in syslog: + $ logger mark-lp1733700 + + Try running logprof with no new denials: + + $ sudo aa-logprof -m mark-lp1733700 # currently fails + Reading log entries from /var/log/syslog. + Updating AppArmor profiles in /etc/apparmor.d. + $ + + Adjust /etc/apparmor.d/tmp.lp1733700 to add: + + #include "/tmp/test1" + include "/tmp/test2" + + Load it into the kernel: + $ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700 + + Create a new denial: + $ /tmp/lp1733700 'uptime' + sh: 1: uptime: Permission denied + $ + + Try running logprof: + + $ sudo aa-logprof -m mark-lp1733700 # currently fails + Reading log entries from /var/log/syslog. + Updating AppArmor profiles in /etc/apparmor.d. + + Profile: /tmp/lp1733700 + Execute: /usr/bin/uptime + Severity: unknown + + (I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish + ... + The following local profiles were changed. Would you like to save them? + + [1 - /tmp/lp1733700] + (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t + + + Writing updated profile for /tmp/lp1733700. + $ + + Verify the profile for 'uptime' addition and that the /tmp/test1 and + /tmp/test2 includes were not removed (it is ok that they are both + '#include'): + + $ sudo cat /etc/apparmor.d/tmp.lp1733700 + # Last Modified: Wed Dec 20 16:19:19 2017 + #include + + /tmp/lp1733700 { + #include "/tmp/test1" + #include "/tmp/test2" + #include + #include + + /bin/dash ix, + /lib/x86_64-linux-gnu/ld-*.so mr, + /tmp/lp1733700 r, + /usr/bin/uptime mrix, + + } + + + = test case #4 (aa-mergeprof) = + + $ mkdir -p /tmp/aa-mergeprof/new + $ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions + $ touch /tmp/aa-mergeprof/new/tunables/global /tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash + $ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old + + $ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat + #include + + /tmp/lp1733700 { + #include + #include + #include "/tmp/test1" + + /bin/dash ix, + /lib/x86_64-linux-gnu/ld-*.so mr, + /tmp/lp1733700 r, + /usr/bin/uptime mrix, + + } + + $ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime + #include + + /tmp/lp1733700 { + #include + #include + #include "/tmp/test2" + + /bin/dash ix, + /lib/x86_64-linux-gnu/ld-*.so mr, + /tmp/lp1733700 r, + /bin/cat ixr, + + } + + $ sudo aa-mergeprof -d /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old/tmp.lp1733700 + ... + [1 - #include "/tmp/test1"] + [(A)llow] / (I)gnore / Abo(r)t / (F)inish + + ... + [1 - /usr/bin/uptime mrix,] + (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / Abo(r)t / (F)inish + + ... + The following local profiles were changed. Would you like to save them? + + [1 - /tmp/lp1733700] + (S)ave Changes / [(V)iew
[Touch-packages] [Bug 1733700] Re: python tools do not understand 'non-magic' include rules
** Description changed: - The apparmor_parser now supports 'include' rules in addition to - '#include', but the python tools only understand '#include'. This - manifested itself in Ubuntu in bug #1734038 (see - https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 - of that bug for details). + The apparmor parser supports 'include' and '#include' rules for + specifying absolute paths, but the python tools only understand include + rules for so called 'magic' '<>' file locations. + + Reproducer: + + $ mkdir /tmp/test1 /tmp/test2 + + $ cat /etc/apparmor.d/lp1733700 + profile lp1733700 { + #include "/tmp/test1" + include "/tmp/test2" + } + + $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok + + $ sudo aa-enforce /etc/apparmor.d/lp1733700 + + ERROR: Syntax Error: Missing '}' or ','. Reached end of file + /etc/apparmor.d/lp1733700 while inside profile lp1733700Note that the pr + + Note that the original description said that changing the rule from + 'include' to '#include' fixed the issue when in reality it only allowed + the rule to parse as a comment instead of erroring. + + = Original description = + The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details). Reproducer: $ mkdir /tmp/test $ cat /etc/apparmor.d/lp1733700 profile lp1733700 { - include "/tmp/test" + include "/tmp/test" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700 Changing the 'include' to '#include' results in: - $ sudo aa-enforce /etc/apparmor.d/lp1733700 + $ sudo aa-enforce /etc/apparmor.d/lp1733700 Setting /etc/apparmor.d/lp1733700 to enforce mode. At least aa-logprof is also affected. = Original report = On Ubuntu artful, I'm seeing the following behavior: - $ aa-enforce usr.bin.chromium-browser - - ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15: - include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r, + $ aa-enforce usr.bin.chromium-browser + + ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15: + include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r, I have never touched snap.core.3440.usr.lib.snapd.snap-confine. This is snapd 2.28.5+17.10. ** Description changed: The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations. Reproducer: $ mkdir /tmp/test1 /tmp/test2 $ cat /etc/apparmor.d/lp1733700 profile lp1733700 { - #include "/tmp/test1" - include "/tmp/test2" + #include "/tmp/test1" + include "/tmp/test2" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 ERROR: Syntax Error: Missing '}' or ','. Reached end of file - /etc/apparmor.d/lp1733700 while inside profile lp1733700Note that the pr + /etc/apparmor.d/lp1733700 while inside profile lp1733700. Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring. = Original description = The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details). Reproducer: $ mkdir /tmp/test $ cat /etc/apparmor.d/lp1733700 profile lp1733700 { include "/tmp/test" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700 Changing the 'include' to '#include' results in: $ sudo aa-enforce /etc/apparmor.d/lp1733700 Setting /etc/apparmor.d/lp1733700 to enforce mode. At least aa-logprof is also affected. = Original report = On Ubuntu artful, I'm seeing the following behavior: $ aa-enforce usr.bin.chromium-browser ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15: include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r, I have never touched snap.core.3440.usr.lib.snapd.snap-confine. This is
[Touch-packages] [Bug 1733700] Re: python tools do not understand 'non-magic' include rules
** Summary changed: - apparmor python tools do not understand 'include' rules + python tools do not understand 'non-magic' include rules ** Changed in: apparmor (Ubuntu Trusty) Status: New => Triaged ** Changed in: apparmor (Ubuntu Xenial) Status: New => Triaged ** Changed in: apparmor (Ubuntu Zesty) Status: New => Triaged ** Changed in: apparmor (Ubuntu Artful) Status: New => Triaged ** Changed in: apparmor (Ubuntu Bionic) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1733700 Title: python tools do not understand 'non-magic' include rules Status in AppArmor: In Progress Status in apparmor package in Ubuntu: Triaged Status in apparmor source package in Trusty: Triaged Status in apparmor source package in Xenial: Triaged Status in apparmor source package in Zesty: Triaged Status in apparmor source package in Artful: Triaged Status in apparmor source package in Bionic: Triaged Bug description: The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details). Reproducer: $ mkdir /tmp/test $ cat /etc/apparmor.d/lp1733700 profile lp1733700 { include "/tmp/test" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700 Changing the 'include' to '#include' results in: $ sudo aa-enforce /etc/apparmor.d/lp1733700 Setting /etc/apparmor.d/lp1733700 to enforce mode. At least aa-logprof is also affected. = Original report = On Ubuntu artful, I'm seeing the following behavior: $ aa-enforce usr.bin.chromium-browser ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15: include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r, I have never touched snap.core.3440.usr.lib.snapd.snap-confine. This is snapd 2.28.5+17.10. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1733700/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp