touch-packages team mailing list archive

Thread
Date

[Bug 1377338] Re: apparmor may fail to load some profiles if one is corrupted

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Tue, 07 Oct 2014 14:37:52 -0000
Reply-to: Bug 1377338 <1377338@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

For rtm I can add a workaround to /lib/apparmor/functions to fallback to
using -n1 if tha parser fails on the profile set. This is a minimal
change and retains the performance improvements of not using -n1 in the
normal case of things being ok. However, we want to remove this and rely
on the parser handling this correctly going forward.

** Also affects: apparmor (Ubuntu RTM)
   Importance: Undecided
       Status: New

** Changed in: apparmor (Ubuntu RTM)
   Importance: Undecided => High

** Changed in: apparmor (Ubuntu RTM)
       Status: New => In Progress

** Changed in: apparmor (Ubuntu RTM)
     Assignee: (unassigned) => Jamie Strandboge (jdstrand)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1377338

Title:
  apparmor may fail to load some profiles if one is corrupted

Status in “apparmor” package in Ubuntu:
  Triaged
Status in “click-apparmor” package in Ubuntu:
  In Progress
Status in “apparmor” package in Ubuntu RTM:
  In Progress
Status in “click-apparmor” package in Ubuntu RTM:
  In Progress

Bug description:
  Steps to reproduce (on the emulator):
  1. sudo sh -c 'echo foo > /var/lib/apparmor/profiles/click_com.ubuntu.music_music_1.3.638'
  2. sudo start apparmor ACTION=teardown
  3. sudo start apparmor
  start: Job failed to start
  4. sudo aa-status|egrep '^ '|grep -v '('| sort -u > /tmp/aa-status.music_bad
  5. sudo rm -f /var/lib/apparmor/profiles/click_com.ubuntu.music_music_1.3.638
  6. sudo aa-clickhook # regenerates the missing profile to had a good one
  7. sudo start apparmor ACTION=teardown
  8. sudo start apparmor
  9. sudo aa-status|egrep '^ '|grep -v '('| sort -u > /tmp/aa-status.music_good
  10. diff -Naur /tmp/aa-status.music_bad /tmp/aa-status.music_good
  --- /tmp/aa-status.music_bad	2014-10-03 22:47:52.890906744 +0000
  +++ /tmp/aa-status.music_good	2014-10-03 22:49:54.372739381 +0000
  @@ -13,6 +13,10 @@
      com.ubuntu.developer.webapps.webapp-twitter_webapp-twitter_1.0.18//oxide_helper
      com.ubuntu.developer.webapps.webapp-twitter_webapp-twitter-helper_1.0.18
      com.ubuntu.dropping-letters_dropping-letters_0.1.2.2.66
  +   com.ubuntu.music_music_1.3.638
  +   com.ubuntu.shorts_shorts_0.2.330
  +   com.ubuntu.sudoku_sudoku_1.1.292
  +   com.ubuntu.weather_weather_1.1.374
      lxc-container-default
      lxc-container-default-with-mounting
      lxc-container-default-with-nesting

  Expected results: only com.ubuntu.music_music_1.3.638 should be
  missing.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1377338/+subscriptions

References

[Bug 1377338] [NEW] apparmor may fail to load some profiles if one is corrupted
From: Jamie Strandboge, 2014-10-03