Traditionally we have actually put these accesses in the packages that
ship the profile, like Marc said, because profilers may not want the
profile to automatically have everything apport requires. These accesses
should *not* be in the python abstraction because the accesses have
nothing to do with python applications, they have to do with python
applications with apport hooks that are confined with apparmor.
There was always the idea that perhaps we could create an apport
abstraction and maybe move distro profiles to using it, but it isn't yet
clear this is what we want to do since the accesses aren't fully
understood.
For now, moving this back to kopanocore and adding an apparmor wishlist
task.
** Also affects: kopanocore (Ubuntu)
Importance: Undecided
Status: New
** Also affects: apparmor
Importance: Undecided
Status: New
** Changed in: apparmor
Importance: Undecided => Wishlist
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1824961
Title:
AppArmor blocks apport python hook from working
Status in AppArmor:
New
Status in apparmor package in Ubuntu:
New
Status in kopanocore package in Ubuntu:
New
Bug description:
The Python profile is very strict, but it prevents Python applications
from producing proper crash reports using apport, as the apport hook
cannot be loaded, as it requires access to dpkg's cputable, and likely
also apt config files and dpkg status files.
I'm wondering what the right approach here is: Should the apport hook
work under AppArmor, and do we thus have to add the files the hook
needs; or should we just say "screw it, we want the additional
security" and not get proper error reporting while AppArmor is
confining the program?
This can be seen in recent autopkgtest failure for kopanocore:
+ kopano-search --help
Traceback (most recent call last):
File "/usr/sbin/kopano-search", line 4, in <module>
import kopano_search
File "/usr/lib/python3/dist-packages/kopano_search/__init__.py", line 18,
in <module>
from queue import Empty
File "/usr/lib/python3.7/queue.py", line 16, in <module>
from _queue import Empty
ImportError:
/usr/lib/python3.7/lib-dynload/_queue.cpython-37m-x86_64-linux-gnu.so: failed
to map segment from shared object
Error in sys.excepthook:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/apport_python_hook.py", line 63, in
apport_excepthook
from apport.fileutils import likely_packaged, get_recent_crashes
File "/usr/lib/python3/dist-packages/apport/__init__.py", line 5, in
<module>
from apport.report import Report
File "/usr/lib/python3/dist-packages/apport/report.py", line 30, in <module>
import apport.fileutils
File "/usr/lib/python3/dist-packages/apport/fileutils.py", line 23, in
<module>
from apport.packaging_impl import impl as packaging
File "/usr/lib/python3/dist-packages/apport/packaging_impl.py", line 24, in
<module>
import apt
File "/usr/lib/python3/dist-packages/apt/__init__.py", line 35, in <module>
apt_pkg.init_system()
apt_pkg.Error: E:Error reading the CPU table
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1824961/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
