edubuntu-bugs team mailing list archive
-
edubuntu-bugs team
-
Mailing list archive
-
Message #11127
[Bug 2120284] Re: Tellico AppArmor policy parser error: unexpected TOK_ID, expecting TOK_MODE
** Description changed:
[SRU]
[ Impact ]
- * AppArmor profile for 'tellico' misformatted, which causes:
+ * AppArmor profile for 'tellico' misformatted, which causes:
- - Profile fails to load on package installation.
- - AppArmor cannot be restarted (profiles cannot be reloaded because of the faulty profile installed by tellico).
+ - Profile fails to load on package installation.
+ - AppArmor cannot be restarted (profiles cannot be reloaded because of the faulty profile installed by tellico).
- * The suggested upload [1] includes a simple fix to the profile.
+ * The suggested upload [1] includes a simple fix to the profile.
[ Test Plan ]
- * Reproducing the bug:
+ * Reproducing the bug:
- 1. Install the latest avail. version of package 'tellico':
+ 1. Install the latest avail. version of package 'tellico':
- - 4.1.1-1ubuntu2 on Plucky, or
- - 4.1.3-1ubuntu1 on Questing
+ - 4.1.1-1ubuntu2 on Plucky, or
+ - 4.1.3-1ubuntu1 on Questing
Output on Plucky:
$ sudo apt update
$ sudo apt install tellico
[snip]
Preparing to unpack .../tellico_4.1.1-1ubuntu2_amd64.deb ...
Unpacking tellico (4.1.1-1ubuntu2) ...
Setting up tellico (4.1.1-1ubuntu2) ...
AppArmor parser error for /etc/apparmor.d/usr.bin.tellico in profile /etc/apparmor.d/usr.bin.tellico at line 33: syntax error, unexpected TOK_ID, expecting TOK_MODE
- 2. Try to restart AppArmor:
+ 2. Try to restart AppArmor:
$ sudo systemctl restart apparmor
Job for apparmor.service failed because the control process exited with error code.
See "systemctl status apparmor.service" and "journalctl -xeu apparmor.service" for details.
$ sudo systemctl status apparmor.service
[snip]
Oct 08 06:32:19 telltest2504 systemd[1]: Starting apparmor.service - Load AppArmor profiles...
Oct 08 06:32:19 telltest2504 apparmor.systemd[7795]: Restarting AppArmor
Oct 08 06:32:19 telltest2504 apparmor.systemd[7795]: Reloading AppArmor profiles
Oct 08 06:32:20 telltest2504 apparmor.systemd[7934]: AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/usr.bin.tellico at line 33: syntax error, unexpected TOK>
Oct 08 06:32:20 telltest2504 apparmor.systemd[7795]: Error: At least one profile failed to load
Oct 08 06:32:20 telltest2504 systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Oct 08 06:32:20 telltest2504 systemd[1]: apparmor.service: Failed with result 'exit-code'.
Oct 08 06:32:20 telltest2504 systemd[1]: Failed to start apparmor.service - load AppArmor profiles.
- * Fix:
+ * Fix:
- * Modifying the AppArmor profile as suggested in the linked bug [0],
+ * Modifying the AppArmor profile as suggested in the linked bug [0],
as well as in the prepared MPs against ubuntu/plucky-devel [1] and
ubuntu/devel [2], fixes the problem: tellico installs, and AppArmor can
(re)load all profiles as expected.
- * That the fix works can be tested by following the above
+ * That the fix works can be tested by following the above
instructions for reproducing after installing:
- - 4.1.1-1ubuntu3 from plucky-proposed (when [1] is merged)
- - 4.1.3-1ubuntu2 from questing-proposed (when [2] is merged)
+ - 4.1.1-1ubuntu3 from plucky-proposed (when [1] is merged)
+ - 4.1.3-1ubuntu2 from questing-proposed (when [2] is merged)
[ Where problems could occur ]
- * A faulty AppArmor profile (that can be loaded and allows the app to
+ * A faulty AppArmor profile (that can be loaded and allows the app to
run) could introduce a security problem. Given that the suggested fix
does not modify the access control (i.e. does not add, remove, or change
the defined rules in the profile, which had already been merged before)
and only fixes syntax, I believe this potential problem does not apply
in this case.
- Also, this profile is the same as a working profile in another package that already is a part of the distribution: plasma-welcome:
- https://git.launchpad.net/ubuntu/+source/plasma-welcome/tree/debian/plasma-welcome-apparmor
+ Also, this profile is the same as a working profile in a number of
+ other packages that already are a part of the distribution. For example:
+
+ - plasma-welcome: https://git.launchpad.net/ubuntu/+source/plasma-welcome/tree/debian/plasma-welcome-apparmor
+ - digikam: https://git.launchpad.net/ubuntu/+source/digikam/tree/debian/digikam-apparmor
+ - cantor: https://git.launchpad.net/ubuntu/+source/cantor/tree/debian/cantor-apparmor
+ - and others
[ Other Info ]
- * Tested with the same results (both the bug and the fix) on Plucky and
+ * Tested with the same results (both the bug and the fix) on Plucky and
Questing.
- * PPA with the fix for testing purposes is at [3].
+ * PPA with the fix for testing purposes is at [3].
- * The package has no autopkgtests, so not reporting on that.
+ * The package has no autopkgtests, so not reporting on that.
- * Devel is not yet open, so the package can't be fixed there, but an MP
+ * Devel is not yet open, so the package can't be fixed there, but an MP
with a proposed fix is opened against ubuntu/devel, ready to be merged
when devel becomes available [2].
- I hope this satisfies the exception to "Development release fixed
+ I hope this satisfies the exception to "Development release fixed
first": "stable release updates should not and do not need to wait for
the development release to open, as long as the development release
upload is prepared and ready" [4]
[0] https://bugs.launchpad.net/ubuntu/+source/tellico/+bug/2120284
[1] https://code.launchpad.net/~rkratky/ubuntu/+source/tellico/+git/tellico/+merge/494043
[2] https://code.launchpad.net/~rkratky/ubuntu/+source/tellico/+git/tellico/+merge/493972
[3] https://launchpad.net/~rkratky/+archive/ubuntu/tellico-fix-lp2120284-apparmor
[4] https://documentation.ubuntu.com/sru/en/latest/explanation/further-requirements/#explanation-devel-first
-
[ Original Description ]
Ubuntu 25.04
tellico 4.1.1-1ubuntu2
The AppArmor policy shipped with 'tellico'
(`/etc/apparmor.d/usr.bin.tellico`) seems misformatted, which causes
this error when trying to load it:
```
$ apparmor_parser /etc/apparmor.d/usr.bin.tellico
AppArmor parser error for /etc/apparmor.d/usr.bin.tellico in profile /etc/apparmor.d/usr.bin.tellico at line 33: syntax error, unexpected TOK_ID, expecting TOK_MODE
```
Line 33:
```
$ sed '30,36!d' /etc/apparmor.d/usr.bin.tellico
ptrace,
/usr/lib/qt6/libexec/QtWebEngineProcess
/** pux,
/{,**} mrwlk,
profile QtWebEngineProcess {
```
I'm guessing the following should fix it. But after loading the updated
profile (which goes through), Tellico segfaults immediately after
running it:
```
ptrace,
/usr/lib/qt6/libexec/QtWebEngineProcess cx -> QtWebEngineProcess,
profile QtWebEngineProcess {
capability,
userns,
```
Just to be sure, I also tried with the following (which was in Tellico
3.x), but Tellico also segfaults when this profile is loaded:
```
ptrace,
/usr/lib/qt6/libexec/QtWebEngineProcess cx ->
&tellico//QtWebEngineProcess,
profile QtWebEngineProcess {
capability,
userns,
```
Unloading the profile lets Tellico run again without the segfault.
I haven't investigated further yet.
** Also affects: marble (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to marble in Ubuntu.
https://bugs.launchpad.net/bugs/2120284
Title:
Tellico AppArmor policy parser error: unexpected TOK_ID, expecting
TOK_MODE
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/marble/+bug/2120284/+subscriptions
