Package: apparmor-utils, python3-apparmor Version: 4.1.0-1 Severity: normal
Hi,
While doing regular maintenance on my VPS running Trixie, I thought I'd revisit
the prospect of creating AppArmor profiles for my services, starting with the
Prosody XMPP server. I created a boilerplate empty profile like this, restarted
Prosody, and after aa-logprof reported it observed nothing, I realized that's
because I stopped auditd by hand earlier for an unrelated reason. So I started
auditd to get the complaints, restarted Prosody, and ran aa-logprof after a few
moments.
+++++ /etc/apparmor.d/usr.bin.prosody
# vim:syntax=apparmor
# AppArmor policy for Prosody
# Author: John Scott
#include <tunables/global>
/usr/bin/prosody flags=(complain) {
#include <abstractions/base>
}
-----
What makes this interesting is that Prosody is written in Lua, but fortunately
the /usr/bin/prosody binary contains the event loop that runs everything, so I
figured it'd still be a good candidate for a simple AppArmor profile. So I ran
aa-logprof and my session went like this:
/etc/apparmor.d$ sudo aa-logprof
Updating AppArmor profiles in /etc/apparmor.d.
Reading log entries from /var/log/audit/audit.log.
Profile: /usr/bin/prosody
Execute: /usr/bin/lua5.4
Severity: unknown
In(h)erit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny /
Abo(r)t / (I)gnore / (F)inish
It was here that I decided "In(h)erit" was probably what I wanted, and I
pressed the 'h' key. Then I was shown this:
Complain-mode changes:
Traceback (most recent call last):
File "/usr/sbin/aa-logprof", line 61, in <module>
apparmor.do_logprof_pass(logmark, out_dir=args.output_dir)
~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1506, in
do_logprof_pass
ask_the_questions(log_dict)
~~~~~~~~~~~~~~~~~^^^^^^^^^^
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1103, in
ask_the_questions
ask_conflict_mode(aa[profile][hat], log_dict[aamode][full_profile])
~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1382, in
ask_conflict_mode
conflictingrules = merge_profile['file'].get_exec_conflict_rules(oldrule)
File "/usr/lib/python3/dist-packages/apparmor/rule/file.py", line 595, in
get_exec_conflict_rules
execrules = self.get_exec_rules_for_path(oldrule.path)
File "/usr/lib/python3/dist-packages/apparmor/rule/file.py", line 580, in
get_exec_rules_for_path
for rule in self.get_rules_for_path(path).rules:
~~~~~~~~~~~~~~~~~~~~~~~^^^^^^
File "/usr/lib/python3/dist-packages/apparmor/rule/file.py", line 515, in
get_rules_for_path
if (rule.all_paths or rule.path.match(path)) and ((not deny) or rule.deny)
and ((not audit) or rule.audit):
~~~~~~~~~~~~~~~^^^^^^
File "/usr/lib/python3/dist-packages/apparmor/aare.py", line 90, in match
self._regex_compiled = re.compile(convert_regexp(self.regex))
~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/re/__init__.py", line 289, in compile
return _compile(pattern, flags)
File "/usr/lib/python3.13/re/__init__.py", line 350, in _compile
p = _compiler.compile(pattern, flags)
File "/usr/lib/python3.13/re/_compiler.py", line 748, in compile
p = _parser.parse(p, flags)
File "/usr/lib/python3.13/re/_parser.py", line 985, in parse
raise source.error("unbalanced parenthesis")
re.PatternError: unbalanced parenthesis at position 51
An unexpected error occurred!
Please consider reporting a bug at https://gitlab.com/apparmor/apparmor/-/issues
If one looks at AppArmor's aare.py you'll find a concession from the author
that the regular expression used for input validation is a kludge that may not
handle corner cases, and this got me thinking if the pathnames involved here
might be the culprit. aa-status shows
> 1 processes [sic] are in complain mode.
> /usr/bin/lua5.4 (23859) /usr/bin/prosody//null-/usr/bin/lua5.4
That latter path is hideous, so maybe this is where the problem lies (maybe
with the hyphen, period, or consecutive slashes being interpreted specially).
Unfortunately I can't wrap my head around Python so I'll have to take a break
from detective work here. Maybe if Python 3.13 was introduced recent-ish (I saw
AppArmor had an RC bug to adapt to that migration), but it's hard to imagine
that affecting the matching of parentheses for example.
Let me know if you're unable to reproduce it.
Thanks,
John
signature.asc
Description: This is a digitally signed message part
