** Summary changed: - aa-enforce fails due to syntax error in snapd.snap-confine profile + apparmor python tools do not understand 'include' rules
** Description changed: + The apparmor_parser now supports 'include' rules in addition to + '#include', but the python tools only understand '#include'. This + manifested itself in Ubuntu in bug #1734038 (see + https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 + of that bug for details). + + Reproducer: + + $ mkdir /tmp/test + + $ cat /etc/apparmor.d/lp1733700 + profile lp1733700 { + include "/tmp/test" + } + + $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok + ok + + $ sudo aa-enforce /etc/apparmor.d/lp1733700 + ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700 + + Changing the 'include' to '#include' results in: + $ sudo aa-enforce /etc/apparmor.d/lp1733700 + Setting /etc/apparmor.d/lp1733700 to enforce mode. + + At least aa-logprof is also affected. + + = Original report = On Ubuntu artful, I'm seeing the following behavior: $ aa-enforce usr.bin.chromium-browser ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15: include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r, I have never touched snap.core.3440.usr.lib.snapd.snap-confine. This is snapd 2.28.5+17.10. ** Also affects: apparmor Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu) Assignee: Jamie Strandboge (jdstrand) => (unassigned) ** Changed in: apparmor Status: New => Triaged ** Also affects: apparmor (Ubuntu Bionic) Importance: Undecided Status: Triaged ** Also affects: apparmor (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Artful) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Zesty) Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu Bionic) Status: Triaged => New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1733700 Title: apparmor python tools do not understand 'include' rules Status in AppArmor: Triaged Status in apparmor package in Ubuntu: New Status in apparmor source package in Trusty: New Status in apparmor source package in Xenial: New Status in apparmor source package in Zesty: New Status in apparmor source package in Artful: New Status in apparmor source package in Bionic: New Bug description: The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details). Reproducer: $ mkdir /tmp/test $ cat /etc/apparmor.d/lp1733700 profile lp1733700 { include "/tmp/test" } $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok ok $ sudo aa-enforce /etc/apparmor.d/lp1733700 ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700 Changing the 'include' to '#include' results in: $ sudo aa-enforce /etc/apparmor.d/lp1733700 Setting /etc/apparmor.d/lp1733700 to enforce mode. At least aa-logprof is also affected. = Original report = On Ubuntu artful, I'm seeing the following behavior: $ aa-enforce usr.bin.chromium-browser ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15: include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r, I have never touched snap.core.3440.usr.lib.snapd.snap-confine. This is snapd 2.28.5+17.10. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1733700/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
