Public bug reported: The version of apparmor-utils in Ubuntu 14.04 are completely unusable. (2.8.95~2430-0ubuntu5)
jjohansen on IRC has provided me with this repo instead, which works far better (2.8.98-0ubuntu2+utopic.backport). So I suggest you review this or whatever process is normally used, work with the developers, and update it urgently... apparmor tools are completely broken. https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports/ Here is the most basic example possible... I have nothing complicated in this system. It doesn't have any custom profiles, and I have copied /bin/bash to my home to make a profile. Then I run the bash and run "ls" to generate some logs. And then hit "s" to search. # aa-genprof /root/basharmor Writing updated profile for /root/basharmor. Setting /root/basharmor to complain mode. Before you begin, you may wish to check if a profile already exists for the application you wish to confine. See the following wiki page for more information: http://wiki.apparmor.net/index.php/Profiles Please start the application to be profiled in another window and exercise its functionality now. Once completed, select the "Scan" option below in order to scan the system logs for AppArmor events. For each AppArmor event, you will be given the opportunity to choose whether the access should be allowed or denied. Profiling: /root/basharmor [(S)can system log for AppArmor events] / (F)inish Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. Traceback (most recent call last): File "/usr/sbin/aa-genprof", line 150, in <module> lp_ret = apparmor.do_logprof_pass(logmark, passno) File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2246, in do_logprof_pass read_profiles() File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2564, in read_profiles read_profile(profile_dir + '/' + file, True) File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2590, in read_profile profile_data = parse_profile_data(data, file, 0) File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2700, in parse_profile_data filelist[file]['profiles'][profile][hat] = True TypeError: 'bool' object does not support item assignment aa-logprof doesn't crash the same way with this bash example, but there are lots of ways to crash it too. Here is an example of the most ridiculous error I got (which was probably actually the ppa:apparmor-dev/apparmor-devel version 2.8.96~2541-0ubuntu3+abstract3, which was actually better than 2.8.95~2430-0ubuntu5). Just simply running "aa-logprof" would gtive me this exception: root@ganglia:/etc/apparmor.d# aa-logprof Reading log entries from /var/log/audit/audit.log. Updating AppArmor profiles in /etc/apparmor.d. Traceback (most recent call last): File "/usr/lib/python3/dist-packages/apparmor/severity.py", line 181, in load_variables for line in f_in: File "/usr/lib/python3.4/codecs.py", line 704, in __next__ return next(self.reader) File "/usr/lib/python3.4/codecs.py", line 635, in __next__ line = self.readline() File "/usr/lib/python3.4/codecs.py", line 548, in readline data = self.read(readsize, firstline=True) File "/usr/lib/python3.4/codecs.py", line 494, in read newchars, decodedbytes = self.decode(data, self.errors) UnicodeDecodeError: 'utf-8' codec can't decode byte 0xb3 in position 41: invalid start byte And then to figure out which file it was trying to read, I added another exception that contains the name: During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/sbin/aa-logprof", line 52, in <module> apparmor.do_logprof_pass(logmark) File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2261, in do_logprof_pass handle_children('', '', root) File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1236, in handle_children sev_db.load_variables(profile) File "/usr/lib/python3/dist-packages/apparmor/severity.py", line 207, in load_variables raise Exception("failed reading prof_path = %s, e = %s" % (prof_path, e)) Exception: failed reading prof_path = /usr/sbin/apache2, e = 'utf-8' codec can't decode byte 0xb3 in position 41: invalid start byte It is reading the apache2 binary! not a profile! Of course it can't decode it into UTF-8. So the backport is necessary. The newer devel one for Trusty is not good enough. Please please upgrade the tools available.... there is no reason to stick with this version. It is not like some "old stable" version... it is the most bleeding edge possible, right after the conversion from perl to python without any bug fixes. I use apparmor everywhere, and find this to be encredibly annoying. (but at least for me, this backports ppa will do well enough) ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1394612 Title: apparmor-utils on 14.04 aka trusty is completely unusable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1394612/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
