** Description changed: + ***** SRU TEMPLATE AT THE BOTTOM ***** + Executing "aa-enforce /etc/apparmor.d/*" does not work on Ubuntu 24.04. There is already an upstream fix (https://gitlab.com/apparmor/apparmor/-/merge_requests/1218/diffs?commit_id=6f9e841e74f04cac78da71fd2e8af3f973af94fc). Suspect more will run into this issue now when the CIS Benchmark for Ubuntu 24.04 was released this week. Description: Ubuntu 24.04.1 LTS Release: 24.04 ----------------------------------- root@ubuntu2404:/etc/apparmor.d# dpkg -l |grep apparmor ii apparmor 4.0.1really4.0.0-beta3-0ubuntu0.1 amd64 user-space parser utility for AppArmor ii apparmor-profiles 4.0.1really4.0.0-beta3-0ubuntu0.1 all experimental profiles for AppArmor security policies ii apparmor-utils 4.0.1really4.0.0-beta3-0ubuntu0.1 all utilities for controlling AppArmor ii libapparmor1:amd64 4.0.1really4.0.0-beta3-0ubuntu0.1 amd64 changehat AppArmor library ii python3-apparmor 4.0.1really4.0.0-beta3-0ubuntu0.1 all AppArmor Python3 utility library ii python3-libapparmor 4.0.1really4.0.0-beta3-0ubuntu0.1 amd64 AppArmor library Python3 bindings ----------------------------------- ----------------------------------- root@ubuntu2404:/etc/apparmor.d# aa-enforce /etc/apparmor.d/* Setting /etc/apparmor.d/1password to enforce mode. Traceback (most recent call last): - File "/usr/sbin/aa-enforce", line 33, in <module> - tool.cmd_enforce() - File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 134, in cmd_enforce - for (program, prof_filename, output_name) in self.get_next_for_modechange(): - File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 97, in get_next_for_modechange - aaui.UI_Info(_('Profile for %s not found, skipping') % output_name) - ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + File "/usr/sbin/aa-enforce", line 33, in <module> + tool.cmd_enforce() + File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 134, in cmd_enforce + for (program, prof_filename, output_name) in self.get_next_for_modechange(): + File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 97, in get_next_for_modechange + aaui.UI_Info(_('Profile for %s not found, skipping') % output_name) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ TypeError: 'NoneType' object is not callable - An unexpected error occurred! For details, see /tmp/apparmor-bugreport-yi5o6kwm.txt Please consider reporting a bug at https://gitlab.com/apparmor/apparmor/-/issues and attach this file. ------------------------------------- - Workaround is to edit /usr/lib/python3/dist-packages/apparmor/tools.py as the upstream fix suggests. - - for (program, _, prof_filename) in self.get_next_to_profile(): + for (program, _ignored, prof_filename) in self.get_next_to_profile(): - - for (program, _, prof_filename) in self.get_next_to_profile(): + for (program, _ignored, prof_filename) in self.get_next_to_profile(): - - Then it works: root@ubuntu2404:/etc/apparmor.d# vim /usr/lib/python3/dist-packages/apparmor/tools.py root@ubuntu2404:/etc/apparmor.d# aa-enforce /etc/apparmor.d/* Setting /etc/apparmor.d/1password to enforce mode. Profile for /etc/apparmor.d/abi not found, skipping Profile for /etc/apparmor.d/abstractions not found, skipping Profile for /etc/apparmor.d/apache2.d not found, skipping Setting /etc/apparmor.d/bin.ping to enforce mode. Setting /etc/apparmor.d/brave to enforce mode. Setting /etc/apparmor.d/buildah to enforce mode. Setting /etc/apparmor.d/busybox to enforce mode. Setting /etc/apparmor.d/cam to enforce mode. Setting /etc/apparmor.d/ch-checkns to enforce mode. Setting /etc/apparmor.d/chrome to enforce mode. Setting /etc/apparmor.d/ch-run to enforce mode. Setting /etc/apparmor.d/code to enforce mode. Setting /etc/apparmor.d/crun to enforce mode. Setting /etc/apparmor.d/devhelp to enforce mode. Profile for /etc/apparmor.d/disable not found, skipping Setting /etc/apparmor.d/Discord to enforce mode. Setting /etc/apparmor.d/element-desktop to enforce mode. Setting /etc/apparmor.d/epiphany to enforce mode. Setting /etc/apparmor.d/evolution to enforce mode. Setting /etc/apparmor.d/firefox to enforce mode. Setting /etc/apparmor.d/flatpak to enforce mode. Profile for /etc/apparmor.d/force-complain not found, skipping Setting /etc/apparmor.d/geary to enforce mode. Setting /etc/apparmor.d/github-desktop to enforce mode. Setting /etc/apparmor.d/goldendict to enforce mode. Setting /etc/apparmor.d/ipa_verify to enforce mode. Setting /etc/apparmor.d/kchmviewer to enforce mode. Setting /etc/apparmor.d/keybase to enforce mode. Setting /etc/apparmor.d/lc-compliance to enforce mode. Setting /etc/apparmor.d/libcamerify to enforce mode. Setting /etc/apparmor.d/linux-sandbox to enforce mode. Profile for /etc/apparmor.d/local not found, skipping Setting /etc/apparmor.d/loupe to enforce mode. Setting /etc/apparmor.d/lsb_release to enforce mode. Setting /etc/apparmor.d/lxc-attach to enforce mode. Setting /etc/apparmor.d/lxc-create to enforce mode. Setting /etc/apparmor.d/lxc-destroy to enforce mode. Setting /etc/apparmor.d/lxc-execute to enforce mode. Setting /etc/apparmor.d/lxc-stop to enforce mode. Setting /etc/apparmor.d/lxc-unshare to enforce mode. Setting /etc/apparmor.d/lxc-usernsexec to enforce mode. Setting /etc/apparmor.d/mmdebstrap to enforce mode. Setting /etc/apparmor.d/MongoDB_Compass to enforce mode. Setting /etc/apparmor.d/msedge to enforce mode. Setting /etc/apparmor.d/nautilus to enforce mode. Setting /etc/apparmor.d/notepadqq to enforce mode. Setting /etc/apparmor.d/nvidia_modprobe to enforce mode. Setting /etc/apparmor.d/obsidian to enforce mode. Setting /etc/apparmor.d/opam to enforce mode. Setting /etc/apparmor.d/opera to enforce mode. Setting /etc/apparmor.d/pageedit to enforce mode. Setting /etc/apparmor.d/php-fpm to enforce mode. Setting /etc/apparmor.d/plasmashell to enforce mode. Setting /etc/apparmor.d/podman to enforce mode. Setting /etc/apparmor.d/polypane to enforce mode. Setting /etc/apparmor.d/privacybrowser to enforce mode. Setting /etc/apparmor.d/qcam to enforce mode. Setting /etc/apparmor.d/qmapshack to enforce mode. Setting /etc/apparmor.d/QtWebEngineProcess to enforce mode. Setting /etc/apparmor.d/qutebrowser to enforce mode. Setting /etc/apparmor.d/rootlesskit to enforce mode. Setting /etc/apparmor.d/rpm to enforce mode. Setting /etc/apparmor.d/rssguard to enforce mode. Profile for /etc/apparmor.d/rsyslog.d not found, skipping Setting /etc/apparmor.d/runc to enforce mode. Setting /etc/apparmor.d/samba-bgqd to enforce mode. Setting /etc/apparmor.d/samba-dcerpcd to enforce mode. Setting /etc/apparmor.d/samba-rpcd to enforce mode. Setting /etc/apparmor.d/samba-rpcd-classic to enforce mode. Setting /etc/apparmor.d/samba-rpcd-spoolss to enforce mode. Setting /etc/apparmor.d/sbin.klogd to enforce mode. Setting /etc/apparmor.d/sbin.syslogd to enforce mode. Setting /etc/apparmor.d/sbin.syslog-ng to enforce mode. Setting /etc/apparmor.d/sbuild to enforce mode. Setting /etc/apparmor.d/sbuild-abort to enforce mode. Setting /etc/apparmor.d/sbuild-adduser to enforce mode. Setting /etc/apparmor.d/sbuild-apt to enforce mode. Setting /etc/apparmor.d/sbuild-checkpackages to enforce mode. Setting /etc/apparmor.d/sbuild-clean to enforce mode. Setting /etc/apparmor.d/sbuild-createchroot to enforce mode. Setting /etc/apparmor.d/sbuild-destroychroot to enforce mode. Setting /etc/apparmor.d/sbuild-distupgrade to enforce mode. Setting /etc/apparmor.d/sbuild-hold to enforce mode. Setting /etc/apparmor.d/sbuild-shell to enforce mode. Setting /etc/apparmor.d/sbuild-unhold to enforce mode. Setting /etc/apparmor.d/sbuild-update to enforce mode. Setting /etc/apparmor.d/sbuild-upgrade to enforce mode. Setting /etc/apparmor.d/scide to enforce mode. Setting /etc/apparmor.d/signal-desktop to enforce mode. Setting /etc/apparmor.d/slack to enforce mode. Setting /etc/apparmor.d/slirp4netns to enforce mode. Setting /etc/apparmor.d/steam to enforce mode. Setting /etc/apparmor.d/stress-ng to enforce mode. Setting /etc/apparmor.d/surfshark to enforce mode. Setting /etc/apparmor.d/systemd-coredump to enforce mode. Setting /etc/apparmor.d/thunderbird to enforce mode. Setting /etc/apparmor.d/toybox to enforce mode. Setting /etc/apparmor.d/trinity to enforce mode. Profile for /etc/apparmor.d/tunables not found, skipping Setting /etc/apparmor.d/tup to enforce mode. Setting /etc/apparmor.d/tuxedo-control-center to enforce mode. Setting /etc/apparmor.d/ubuntu_pro_apt_news to enforce mode. Setting /etc/apparmor.d/ubuntu_pro_esm_cache to enforce mode. Setting /etc/apparmor.d/unix-chkpwd to enforce mode. Setting /etc/apparmor.d/unprivileged_userns to enforce mode. Setting /etc/apparmor.d/userbindmount to enforce mode. Setting /etc/apparmor.d/usr.bin.man to enforce mode. Setting /etc/apparmor.d/usr.bin.tcpdump to enforce mode. Setting /etc/apparmor.d/usr.lib.snapd.snap-confine.real to enforce mode. Setting /etc/apparmor.d/usr.sbin.avahi-daemon to enforce mode. Setting /etc/apparmor.d/usr.sbin.chronyd to enforce mode. Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode. Setting /etc/apparmor.d/usr.sbin.identd to enforce mode. Setting /etc/apparmor.d/usr.sbin.mdnsd to enforce mode. Setting /etc/apparmor.d/usr.sbin.nmbd to enforce mode. Setting /etc/apparmor.d/usr.sbin.nscd to enforce mode. Setting /etc/apparmor.d/usr.sbin.rsyslogd to enforce mode. Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode. Setting /etc/apparmor.d/usr.sbin.smbldap-useradd to enforce mode. Setting /etc/apparmor.d/usr.sbin.traceroute to enforce mode. Setting /etc/apparmor.d/uwsgi-core to enforce mode. Setting /etc/apparmor.d/vdens to enforce mode. Setting /etc/apparmor.d/virtiofsd to enforce mode. Setting /etc/apparmor.d/vivaldi-bin to enforce mode. Setting /etc/apparmor.d/vpnns to enforce mode. Setting /etc/apparmor.d/wpcom to enforce mode. + + + ========== + SRU TEMPLATE: + ========== + + [ Impact ] + + * Currently there is a bug in apparmor where executing the aa- + enforce command causes the apparmor to crash with: + aaui.UI_Info(_('Profile for %s not found, skipping') % output_name). + + Traceback (most recent call last): + File "/usr/sbin/aa-enforce", line 33, in <module> + tool.cmd_enforce() + File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 134, in cmd_enforce + for (program, prof_filename, output_name) in self.get_next_for_modechange(): + File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 97, in get_next_for_modechange + aaui.UI_Info(_('Profile for %s not found, skipping') % output_name) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + TypeError: 'NoneType' object is not callable + + An unexpected error occurred! + + * Users have been unable to roll out their intended CIS hardening + policies to production as they are blocked by this issue + + * This bug was also reported upstream apparmor at + https://gitlab.com/apparmor/apparmor/-/issues/387 + + * This bug report references that they were able to work around the + problem by manually applying the upstream fix at: + https://gitlab.com/apparmor/apparmor/-/merge_requests/1218. However, + this bug was reported internally by a customer who cannot manually apply + the fix to every affected machine. + + [Test Plan] + + * Deploy a fresh Ubuntu Noble VM, install apparmor/apparmor-utils, + and run: sudo aa-enforce /etc/apparmor.d/* This will produce the same + traceback as seen the bug report + + * Apply the patch, and run sudo aa-enforce /etc/apparmor.d/*, + observing that no errors were produced + + [What can go wrong] + + * The bug was introduced essentially due to a refactorization of a + function which originally returned two values. One of which, the return + value 'profile', was ambiguously either a profile name or a profile + filename. The restructuring in the previous patch ensured the function + always returned 3 values, each of which being explicitly defined to + remove the ambiguous nature of the "profile" return value. It's possible + that there will be subsequent changes similar to this one due to the + original refactor.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2078467 Title: aa-enforce /etc/apparmor.d/* - Error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2078467/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
