I took a quick look at this bug to attempt to locate the problem. I
originally thought it was due to the Python utils' parser not supporting
include rules that are missing a leading '#' but that's not the case
since the regex in utils/apparmor/regex.py supports such an include
rule:
RE_INCLUDE = re.compile('^\s*#?include\s*<(?P<magicpath>.*)>' +
RE_EOL)
The problem here is due to the regex only supporting include paths that
are surrounded by <>. The apparmor_parser allows for absolute include
paths to be surrounded by "" or by nothing at all and that is what the
Python utils do not currently support.
Also note that there are existing, but commented out, tests for this
style of include rules in utils/test/test-regex_matches.py:
class Test_re_match_include(AATest):
tests = [
...
# ('include foo', 'foo'
), # XXX not supported in tools yet
# ('include /foo/bar', '/foo/bar'
), # XXX not supported in tools yet
# ('include "foo"', 'foo'
), # XXX not supported in tools yet
# ('include "/foo/bar"', '/foo/bar'
), # XXX not supported in tools yet
...
]
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1733700
Title:
apparmor python tools do not understand 'include' rules
Status in AppArmor:
Triaged
Status in apparmor package in Ubuntu:
New
Status in apparmor source package in Trusty:
New
Status in apparmor source package in Xenial:
New
Status in apparmor source package in Zesty:
New
Status in apparmor source package in Artful:
New
Status in apparmor source package in Bionic:
New
Bug description:
The apparmor_parser now supports 'include' rules in addition to
'#include', but the python tools only understand '#include'. This
manifested itself in Ubuntu in bug #1734038 (see
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15
of that bug for details).
Reproducer:
$ mkdir /tmp/test
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
include "/tmp/test"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file
/etc/apparmor.d/lp1733700 while inside profile lp1733700
Changing the 'include' to '#include' results in:
$ sudo aa-enforce /etc/apparmor.d/lp1733700
Setting /etc/apparmor.d/lp1733700 to enforce mode.
At least aa-logprof is also affected.
= Original report =
On Ubuntu artful, I'm seeing the following behavior:
$ aa-enforce usr.bin.chromium-browser
ERROR: Syntax Error: Unknown line found in file
/etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,
I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
This is snapd 2.28.5+17.10.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1733700/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
