touch-packages team mailing list archive

[Christian Boltz <1471425@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

aa-logprof crashes on profiles that contain an #include <directory> _if_
there are events for this profile.

2.9 crash:

# aa-logprof -f /tmp/syslog
Lese Logeinträge von /tmp/syslog.
Aktualisiere AppArmor-Profile in /etc/apparmor.d.
Traceback (most recent call last):
  File "aa-logprof", line 54, in <module>
    apparmor.do_logprof_pass(logmark)
  File "/home/cb/apparmor/2.9-branch/utils/apparmor/aa.py", line 2297, in do_logprof_pass
    collapse_log()
  File "/home/cb/apparmor/2.9-branch/utils/apparmor/aa.py", line 2533, in collapse_log
    if not profile_known_network(aa[profile][hat], family, sock_type):
  File "/home/cb/apparmor/2.9-branch/utils/apparmor/aa.py", line 4394, in profile_known_network
    if netrules_access_check(include[incname][incname]['deny']['netdomain'], family, sock_type):
KeyError: 'apache2.d'


trunk crash:

# aa-logprof -f /tmp/syslog
Lese Logeinträge von /tmp/syslog.
Aktualisiere AppArmor-Profile in /etc/apparmor.d.
Traceback (most recent call last):
  File "aa-logprof", line 50, in <module>
    apparmor.do_logprof_pass(logmark)
  File "/home/cb/apparmor/HEAD-clean/utils/apparmor/aa.py", line 2189, in do_logprof_pass
    collapse_log()
  File "/home/cb/apparmor/HEAD-clean/utils/apparmor/aa.py", line 2426, in collapse_log
    if not is_known_rule(aa[profile][hat], 'network', NetworkRule(family, sock_type)):
  File "/home/cb/apparmor/HEAD-clean/utils/apparmor/aa.py", line 4099, in is_known_rule
    if include[incname][incname].get(rule_type, False):
KeyError: 'apache2.d'


Reproducer: (slightly faked log event, apache didn't request network raw)

aa-logprof -f <(echo 'Jul  2 06:39:54 piorun kernel: [5579093.070893]
audit: type=1400 audit(1435811994.122:696484): apparmor="ALLOWED"
operation="accept" profile="/usr/sbin/apache2" pid=18852 comm="apache2"
lport=443 family="inet6" sock_type="raw" protocol=6')

Note: If you test with old logs, it doesn't happen always because
is_known_rule() / profile_known_*() exits as soon as it finds a match,
and the order of include files is random - which means it doesn't always
loop until it hits the directory include.

I'm afraid that this affects the profile_known_*() functions for all
rule types.

** Affects: apparmor
     Importance: Undecided
         Status: New

** Affects: apparmor (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: aa-tools

** Also affects: apparmor
   Importance: Undecided
       Status: New

** Tags added: aa-tools

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1471425

Title:
  aa-logprof crash on #include <directory>

Status in AppArmor Linux application security framework:
  New
Status in apparmor package in Ubuntu:
  New

Bug description:
  aa-logprof crashes on profiles that contain an #include <directory>
  _if_ there are events for this profile.

  2.9 crash:

  # aa-logprof -f /tmp/syslog
  Lese Logeinträge von /tmp/syslog.
  Aktualisiere AppArmor-Profile in /etc/apparmor.d.
  Traceback (most recent call last):
    File "aa-logprof", line 54, in <module>
      apparmor.do_logprof_pass(logmark)
    File "/home/cb/apparmor/2.9-branch/utils/apparmor/aa.py", line 2297, in do_logprof_pass
      collapse_log()
    File "/home/cb/apparmor/2.9-branch/utils/apparmor/aa.py", line 2533, in collapse_log
      if not profile_known_network(aa[profile][hat], family, sock_type):
    File "/home/cb/apparmor/2.9-branch/utils/apparmor/aa.py", line 4394, in profile_known_network
      if netrules_access_check(include[incname][incname]['deny']['netdomain'], family, sock_type):
  KeyError: 'apache2.d'

  
  trunk crash:

  # aa-logprof -f /tmp/syslog
  Lese Logeinträge von /tmp/syslog.
  Aktualisiere AppArmor-Profile in /etc/apparmor.d.
  Traceback (most recent call last):
    File "aa-logprof", line 50, in <module>
      apparmor.do_logprof_pass(logmark)
    File "/home/cb/apparmor/HEAD-clean/utils/apparmor/aa.py", line 2189, in do_logprof_pass
      collapse_log()
    File "/home/cb/apparmor/HEAD-clean/utils/apparmor/aa.py", line 2426, in collapse_log
      if not is_known_rule(aa[profile][hat], 'network', NetworkRule(family, sock_type)):
    File "/home/cb/apparmor/HEAD-clean/utils/apparmor/aa.py", line 4099, in is_known_rule
      if include[incname][incname].get(rule_type, False):
  KeyError: 'apache2.d'

  
  Reproducer: (slightly faked log event, apache didn't request network raw)

  aa-logprof -f <(echo 'Jul  2 06:39:54 piorun kernel: [5579093.070893]
  audit: type=1400 audit(1435811994.122:696484): apparmor="ALLOWED"
  operation="accept" profile="/usr/sbin/apache2" pid=18852
  comm="apache2" lport=443 family="inet6" sock_type="raw" protocol=6')

  Note: If you test with old logs, it doesn't happen always because
  is_known_rule() / profile_known_*() exits as soon as it finds a match,
  and the order of include files is random - which means it doesn't
  always loop until it hits the directory include.

  I'm afraid that this affects the profile_known_*() functions for all
  rule types.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1471425/+subscriptions