touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #35371
[Bug 1394612] Re: apparmor-utils on 14.04 aka trusty is completely unusable
BTW: The bunch of apache2//null-... profiles aren't too surprising if
your apache executes lots of binaries while in complain mode - each of
them will get a fresh null-... hat.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1394612
Title:
apparmor-utils on 14.04 aka trusty is completely unusable
Status in “apparmor” package in Ubuntu:
Invalid
Bug description:
The version of apparmor-utils in Ubuntu 14.04 are completely unusable.
(2.8.95~2430-0ubuntu5)
jjohansen on IRC has provided me with this repo instead, which works
far better (2.8.98-0ubuntu2+utopic.backport). So I suggest you review
this or whatever process is normally used, work with the developers,
and update it urgently... apparmor tools are completely broken.
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-
backports/
Here is the most basic example possible... I have nothing complicated
in this system. It doesn't have any custom profiles, and I have copied
/bin/bash to my home to make a profile. Then I run the bash and run
"ls" to generate some logs. And then hit "s" to search.
# aa-genprof /root/basharmor
Writing updated profile for /root/basharmor.
Setting /root/basharmor to complain mode.
Before you begin, you may wish to check if a
profile already exists for the application you
wish to confine. See the following wiki page for
more information:
http://wiki.apparmor.net/index.php/Profiles
Please start the application to be profiled in
another window and exercise its functionality now.
Once completed, select the "Scan" option below in
order to scan the system logs for AppArmor events.
For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.
Profiling: /root/basharmor
[(S)can system log for AppArmor events] / (F)inish
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Traceback (most recent call last):
File "/usr/sbin/aa-genprof", line 150, in <module>
lp_ret = apparmor.do_logprof_pass(logmark, passno)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2246, in do_logprof_pass
read_profiles()
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2564, in read_profiles
read_profile(profile_dir + '/' + file, True)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2590, in read_profile
profile_data = parse_profile_data(data, file, 0)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2700, in parse_profile_data
filelist[file]['profiles'][profile][hat] = True
TypeError: 'bool' object does not support item assignment
aa-logprof doesn't crash the same way with this bash example, but
there are lots of ways to crash it too.
Here is an example of the most ridiculous error I got (which was
probably actually the ppa:apparmor-dev/apparmor-devel version
2.8.96~2541-0ubuntu3+abstract3, which was actually better than
2.8.95~2430-0ubuntu5). Just simply running "aa-logprof" would gtive me
this exception:
root@ganglia:/etc/apparmor.d# aa-logprof
Reading log entries from /var/log/audit/audit.log.
Updating AppArmor profiles in /etc/apparmor.d.
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/apparmor/severity.py", line 181, in load_variables
for line in f_in:
File "/usr/lib/python3.4/codecs.py", line 704, in __next__
return next(self.reader)
File "/usr/lib/python3.4/codecs.py", line 635, in __next__
line = self.readline()
File "/usr/lib/python3.4/codecs.py", line 548, in readline
data = self.read(readsize, firstline=True)
File "/usr/lib/python3.4/codecs.py", line 494, in read
newchars, decodedbytes = self.decode(data, self.errors)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xb3 in position 41: invalid start byte
And then to figure out which file it was trying to read, I added
another exception that contains the name:
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/sbin/aa-logprof", line 52, in <module>
apparmor.do_logprof_pass(logmark)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2261, in do_logprof_pass
handle_children('', '', root)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1236, in handle_children
sev_db.load_variables(profile)
File "/usr/lib/python3/dist-packages/apparmor/severity.py", line 207, in load_variables
raise Exception("failed reading prof_path = %s, e = %s" % (prof_path, e))
Exception: failed reading prof_path = /usr/sbin/apache2, e = 'utf-8' codec can't decode byte 0xb3 in position 41: invalid start byte
It is reading the apache2 binary! not a profile! Of course it can't decode it into UTF-8. So the backport is necessary. The newer devel one for Trusty is not good enough.
Please please upgrade the tools available.... there is no reason to
stick with this version. It is not like some "old stable" version...
it is the most bleeding edge possible, right after the conversion from
perl to python without any bug fixes. I use apparmor everywhere, and
find this to be encredibly annoying. (but at least for me, this
backports ppa will do well enough)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1394612/+subscriptions
References