← Back to team overview

touch-packages team mailing list archive

[Bug 1394612] Re: apparmor-utils on 14.04 aka trusty is completely unusable

 

Hello Peter - Thanks for the bug report and thanks for working with us
upstream to improve the utils.

We are aware of and have fixed the first issue you mentioned (bug
#1294797). The same for other two issues although I don't have the bug
#'s or upstream revisions handy.

I'm going to close this bug as it summarizes already known issues that
have been fixed upstream. Those fixes will make their way back to Ubuntu
14.04 LTS through an SRU (https://wiki.ubuntu.com/StableReleaseUpdates).

** Changed in: apparmor (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1394612

Title:
  apparmor-utils on 14.04 aka trusty is completely unusable

Status in “apparmor” package in Ubuntu:
  Invalid

Bug description:
  The version of apparmor-utils in Ubuntu 14.04 are completely unusable.
  (2.8.95~2430-0ubuntu5)

  jjohansen on IRC has provided me with this repo instead, which works
  far better (2.8.98-0ubuntu2+utopic.backport). So I suggest you review
  this or whatever process is normally used, work with the developers,
  and update it urgently... apparmor tools are completely broken.

  https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-
  backports/

  Here is the most basic example possible... I have nothing complicated
  in this system. It doesn't have any custom profiles, and I have copied
  /bin/bash to my home to make a profile. Then I run the bash and run
  "ls" to generate some logs. And then hit "s" to search.

  # aa-genprof /root/basharmor
  Writing updated profile for /root/basharmor.
  Setting /root/basharmor to complain mode.

  Before you begin, you may wish to check if a
  profile already exists for the application you
  wish to confine. See the following wiki page for
  more information:
  http://wiki.apparmor.net/index.php/Profiles

  Please start the application to be profiled in
  another window and exercise its functionality now.

  Once completed, select the "Scan" option below in
  order to scan the system logs for AppArmor events.

  For each AppArmor event, you will be given the
  opportunity to choose whether the access should be
  allowed or denied.

  Profiling: /root/basharmor

  [(S)can system log for AppArmor events] / (F)inish
  Reading log entries from /var/log/syslog.
  Updating AppArmor profiles in /etc/apparmor.d.
  Traceback (most recent call last):
    File "/usr/sbin/aa-genprof", line 150, in <module>
      lp_ret = apparmor.do_logprof_pass(logmark, passno)
    File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2246, in do_logprof_pass
      read_profiles()
    File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2564, in read_profiles
      read_profile(profile_dir + '/' + file, True)
    File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2590, in read_profile
      profile_data = parse_profile_data(data, file, 0)
    File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2700, in parse_profile_data
      filelist[file]['profiles'][profile][hat] = True
  TypeError: 'bool' object does not support item assignment

  aa-logprof doesn't crash the same way with this bash example, but
  there are lots of ways to crash it too.

  Here is an example of the most ridiculous error I got (which was
  probably actually the ppa:apparmor-dev/apparmor-devel version
  2.8.96~2541-0ubuntu3+abstract3, which was actually better than
  2.8.95~2430-0ubuntu5). Just simply running "aa-logprof" would gtive me
  this exception:

  root@ganglia:/etc/apparmor.d# aa-logprof
  Reading log entries from /var/log/audit/audit.log.
  Updating AppArmor profiles in /etc/apparmor.d.
  Traceback (most recent call last):
    File "/usr/lib/python3/dist-packages/apparmor/severity.py", line 181, in load_variables
      for line in f_in:
    File "/usr/lib/python3.4/codecs.py", line 704, in __next__
      return next(self.reader)
    File "/usr/lib/python3.4/codecs.py", line 635, in __next__
      line = self.readline()
    File "/usr/lib/python3.4/codecs.py", line 548, in readline
      data = self.read(readsize, firstline=True)
    File "/usr/lib/python3.4/codecs.py", line 494, in read
      newchars, decodedbytes = self.decode(data, self.errors)
  UnicodeDecodeError: 'utf-8' codec can't decode byte 0xb3 in position 41: invalid start byte

  And then to figure out which file it was trying to read, I added
  another exception that contains the name:

  During handling of the above exception, another exception occurred:

  Traceback (most recent call last):
    File "/usr/sbin/aa-logprof", line 52, in <module>
      apparmor.do_logprof_pass(logmark)
    File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2261, in do_logprof_pass
      handle_children('', '', root)
    File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1236, in handle_children
      sev_db.load_variables(profile)
    File "/usr/lib/python3/dist-packages/apparmor/severity.py", line 207, in load_variables
      raise Exception("failed reading prof_path = %s, e = %s" % (prof_path, e))
  Exception: failed reading prof_path = /usr/sbin/apache2, e = 'utf-8' codec can't decode byte 0xb3 in position 41: invalid start byte

  
  It is reading the apache2 binary! not a profile! Of course it can't decode it into UTF-8. So the backport is necessary. The newer devel one for Trusty is not good enough.

  Please please upgrade the tools available.... there is no reason to
  stick with this version. It is not like some "old stable" version...
  it is the most bleeding edge possible, right after the conversion from
  perl to python without any bug fixes. I use apparmor everywhere, and
  find this to be encredibly annoying. (but at least for me, this
  backports ppa will do well enough)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1394612/+subscriptions


References