Due to the builder being down for meltdown/spectre, the patches for this
were delayed. However, the 3rd core snap without the issue (2.29.4.2,
2.30 and the upcoming 2.31.1) that caused this problem is about to be
released meaning the affected core snap revision is about to be reaped
which will resolve this bug for those users. As a result, marking all
stable releases of Ubuntu as Won't Fix. Bionic will be fixed with the
upcoming 2.12 merge from Debian.
** Changed in: apparmor (Ubuntu Zesty)
Status: Triaged => Won't Fix
** Changed in: apparmor (Ubuntu Trusty)
Status: In Progress => Won't Fix
** Changed in: apparmor (Ubuntu Xenial)
Status: In Progress => Won't Fix
** Changed in: apparmor (Ubuntu Artful)
Status: In Progress => Won't Fix
** Changed in: apparmor (Ubuntu Bionic)
Status: In Progress => Triaged
** Changed in: apparmor (Ubuntu Bionic)
Assignee: Jamie Strandboge (jdstrand) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1733700
Title:
python tools do not understand 'non-magic' include rules
Status in AppArmor:
Fix Released
Status in apparmor package in Ubuntu:
Triaged
Status in apparmor source package in Trusty:
Won't Fix
Status in apparmor source package in Xenial:
Won't Fix
Status in apparmor source package in Zesty:
Won't Fix
Status in apparmor source package in Artful:
Won't Fix
Status in apparmor source package in Bionic:
Triaged
Bug description:
The apparmor parser supports 'include' and '#include' rules for
specifying absolute paths, but the python tools only understand
include rules for so called 'magic' '<>' file locations.
= test case #0 (testsuite) =
$ sudo apt-get install apparmor apparmor-utils # from proposed
$ sudo apt-get build-dep apparmor
$ sudo apt-get install quilt realpath pyflakes pyflakes3 # pyflakes3 on
xenial and higher
$ apt-get source apparmor # from proposed
$ cd apparmor-*
$ quilt push -a
$ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python)
$ export PYTHON=/usr/bin/python3
$ export PYTHON_VERSION=3
$ export PYTHON_VERSIONS=python3
$ cd libraries/libapparmor
$ sh ./autogen.sh
$ sh ./configure --prefix=/usr --with-perl --with-python
$ make
$ cd ../../binutils
$ make
$ ../parser
$ make
$ cd ../utils
$ make
$ make check
= test case #1 (aa-enforce) =
This assumes test case #0 has been performed.
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
#include "/tmp/test1"
include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails
= test case #2 (aa-genprof) =
This assumes test case #1 was already performed and
/etc/apparmor.d/lp1733700 exists with the above includes.
$ cat /tmp/lp1733700
#!/bin/sh
set -e
sh -c "$@"
$ chmod 755 /tmp/lp1733700
# run without confinement:
$ /tmp/lp1733700 'cat /etc/fstab' | head -1
# /etc/fstab: static file system information.
# invoke genprof
$ sudo aa-genprof /tmp/lp1733700
...
[(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently
fails
... don't exercise the application any so we just have the default profile ...
[(S)can system log for AppArmor events] / (F)inish - PRESS 'f'
...
Finished generating profile for /tmp/lp1733700.
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 15:53:07 2017
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
}
= test case #3 (aa-logprof) =
This assumes test case #1 was already performed and
/etc/apparmor.d/lp1733700 exists with the above includes.
This also assumes test case #2 was already performed and
/etc/apparmor.d/tmp.lp1733700 exists.
Disable kernel rate limiting:
$ sudo sysctl -w kernel.printk_ratelimit=0
Create mark entry in syslog:
$ logger mark-lp1733700
Try running logprof with no new denials:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
$
Adjust /etc/apparmor.d/tmp.lp1733700 to add:
#include "/tmp/test1"
include "/tmp/test2"
Load it into the kernel:
$ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700
Create a new denial:
$ /tmp/lp1733700 'uptime'
sh: 1: uptime: Permission denied
$
Try running logprof:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Profile: /tmp/lp1733700
Execute: /usr/bin/uptime
Severity: unknown
(I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish
...
The following local profiles were changed. Would you like to save them?
<PRESS 'i'>
[1 - /tmp/lp1733700]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes
b/w (C)lean profiles / Abo(r)t
<PRESS 's'>
Writing updated profile for /tmp/lp1733700.
$
Verify the profile for 'uptime' addition and that the /tmp/test1 and
/tmp/test2 includes were not removed (it is ok that they are both
'#include'):
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 16:19:19 2017
#include <tunables/global>
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include <abstractions/base>
#include <abstractions/bash>
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
= test case #4 (aa-mergeprof) =
$ mkdir -p /tmp/aa-mergeprof/new
$ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions
$ touch /tmp/aa-mergeprof/new/tunables/global
/tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash
$ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old
$ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
#include "/tmp/test1"
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
$ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
#include "/tmp/test2"
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/bin/cat ixr,
}
$ sudo aa-mergeprof -d /tmp/aa-mergeprof/new
/tmp/aa-mergeprof/old/tmp.lp1733700
...
[1 - #include "/tmp/test1"]
[(A)llow] / (I)gnore / Abo(r)t / (F)inish
<PRESS 'a'>
...
[1 - /usr/bin/uptime mrix,]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew /
Audi(t) / Abo(r)t / (F)inish
<PRESS 'a'>
...
The following local profiles were changed. Would you like to save them?
[1 - /tmp/lp1733700]
(S)ave Changes / [(V)iew Changes] / Abo(r)t / (I)gnore - PRESS 's'
Writing updated profile for /tmp/lp1733700.
$
Verify /tmp/aa-mergeprof/new/tmp.lp1733700 has test1, test2, cat and uptime
(old mergeprof would discard includes with absolute paths):
$ cat /tmp/aa-mergeprof/new/tmp.lp1733700
# Last Modified: Wed Dec 20 17:16:34 2017
#include <tunables/global>
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include <abstractions/base>
#include <abstractions/bash>
/bin/cat rix,
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
Note that the original description said that changing the rule from
'include' to '#include' fixed the issue when in reality it only
allowed the rule to parse as a comment instead of erroring.
= Original description =
The apparmor_parser now supports 'include' rules in addition to '#include',
but the python tools only understand '#include'. This manifested itself in
Ubuntu in bug #1734038 (see
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of
that bug for details).
Reproducer:
$ mkdir /tmp/test
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
include "/tmp/test"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file
/etc/apparmor.d/lp1733700 while inside profile lp1733700
Changing the 'include' to '#include' results in:
$ sudo aa-enforce /etc/apparmor.d/lp1733700
Setting /etc/apparmor.d/lp1733700 to enforce mode.
At least aa-logprof is also affected.
= Original report =
On Ubuntu artful, I'm seeing the following behavior:
$ aa-enforce usr.bin.chromium-browser
ERROR: Syntax Error: Unknown line found in file
/etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,
I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
This is snapd 2.28.5+17.10.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1733700/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
