I might also mention on IRC the exact type of thing why we've had these rules in the profile that ship them:
[119698.000187] audit: type=1400 audit(1555405334.985:222): apparmor="DENIED" operation="exec" profile="/usr/sbin/kopano-search" name="/usr/bin/x86_64-linux-gnu-gcc-8" pid=15647 comm="kopano-search" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 We aren't going to put compiler execution into the python (or likely any other) abstraction. It is difficult because for security you only want enough access so the application can behave normally which is often at odds with access the the application needs when it crashes or behaves unexpectedly (indeed, we wrap applications with apparmor precisely to limit what they can do when behaving unexpectedly). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1824961 Title: AppArmor blocks apport python hook from working Status in AppArmor: New Status in apparmor package in Ubuntu: New Status in kopanocore package in Ubuntu: New Bug description: The Python profile is very strict, but it prevents Python applications from producing proper crash reports using apport, as the apport hook cannot be loaded, as it requires access to dpkg's cputable, and likely also apt config files and dpkg status files. I'm wondering what the right approach here is: Should the apport hook work under AppArmor, and do we thus have to add the files the hook needs; or should we just say "screw it, we want the additional security" and not get proper error reporting while AppArmor is confining the program? This can be seen in recent autopkgtest failure for kopanocore: + kopano-search --help Traceback (most recent call last): File "/usr/sbin/kopano-search", line 4, in <module> import kopano_search File "/usr/lib/python3/dist-packages/kopano_search/__init__.py", line 18, in <module> from queue import Empty File "/usr/lib/python3.7/queue.py", line 16, in <module> from _queue import Empty ImportError: /usr/lib/python3.7/lib-dynload/_queue.cpython-37m-x86_64-linux-gnu.so: failed to map segment from shared object Error in sys.excepthook: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/apport_python_hook.py", line 63, in apport_excepthook from apport.fileutils import likely_packaged, get_recent_crashes File "/usr/lib/python3/dist-packages/apport/__init__.py", line 5, in <module> from apport.report import Report File "/usr/lib/python3/dist-packages/apport/report.py", line 30, in <module> import apport.fileutils File "/usr/lib/python3/dist-packages/apport/fileutils.py", line 23, in <module> from apport.packaging_impl import impl as packaging File "/usr/lib/python3/dist-packages/apport/packaging_impl.py", line 24, in <module> import apt File "/usr/lib/python3/dist-packages/apt/__init__.py", line 35, in <module> apt_pkg.init_system() apt_pkg.Error: E:Error reading the CPU table To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1824961/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
