aa-logprof attempts to read program binary instead of profile

Bug #1317176 reported by MattJ
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Medium
Marc Deslauriers

Bug Description

[impact]

This bug makes it difficult for trusty users to use the apparmor policy
utilities.

[steps to reproduce]

See below

[regression potential]

This issue is being addressed by updating the python utilities to the
version in apparmor 2.9.2 as tracked in bug 1449769. This represents are
large change which would normally be risky; however, these changes are
isolated to the python utils (so no changes to the policy parser/loader
or enforcement), there are a large number of bugs that exist in the
trusty version that make using the tools difficult, so it would be
difficult to regress further, and the updated version includes many new
unit tests to try to prevent from regressions from occurring.

[additional info]

The python utils testsuite is run as part of the test-apparmor.py test
script in lp:qa-regression-testing. The test-apparmor.py also has
additional basic usage tests to ensure that basic functionality is
maintained. These tests are run as part of the process fro each kernel
update.

[original description]

$ aa-logprof -f aadenylog
Reading log entries from aadenylog.
Updating AppArmor profiles in /etc/apparmor.d.
reading /usr/lib/chromium-browser/chromium-browser
Traceback (most recent call last):
  File "/usr/sbin/aa-logprof", line 52, in <module>
    apparmor.do_logprof_pass(logmark)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2261, in do_logprof_pass
    handle_children('', '', root)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1236, in handle_children
    sev_db.load_variables(profile)
  File "/usr/lib/python3/dist-packages/apparmor/severity.py", line 181, in load_variables
    for line in f_in:
  File "/usr/lib/python3.4/codecs.py", line 704, in __next__
    return next(self.reader)
  File "/usr/lib/python3.4/codecs.py", line 635, in __next__
    line = self.readline()
  File "/usr/lib/python3.4/codecs.py", line 548, in readline
    data = self.read(readsize, firstline=True)
  File "/usr/lib/python3.4/codecs.py", line 494, in read
    newchars, decodedbytes = self.decode(data, self.errors)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xab in position 25: invalid start byte

The 'reading' output line is debug output added by me, printing prof_path just before line 180 (which is also why the line numbers may not match exactly). My assumption is that it is supposed to be reading '/etc/apparmor.d/usr.lib.chromium-browser.chromium-browser' instead.

Revision history for this message
Christian Boltz (cboltz) wrote :

[19:11:34] <cboltz> MattJ: just a guess - line 1236 of aa.py should probably contain "aa[profile][profile]" instead of just "profile"
[19:11:57] <cboltz> (please test with a print command - I'm not exactly sure about the internal structure of aa[])
[19:33:32] <MattJ> sev_db.load_variables(get_profile_filename(exec_target)) seems to work

Revision history for this message
Christian Boltz (cboltz) wrote :

See also https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1324154 (which qualifies as duplicate). There's a patch included, with a slightly different line ("get_profile_filename(profile)" instead of "...(exec_target)"), which looks better to me. (Any objections?)

Revision history for this message
Christian Boltz (cboltz) wrote :

Fix commited to bzr r2519.

Changed in apparmor (Ubuntu):
status: New → Fix Committed
Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released
Changed in apparmor (Ubuntu Trusty):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Marc Deslauriers (mdeslaur)
tags: added: aa-tools
Steve Beattie (sbeattie)
description: updated
Revision history for this message
Steve Beattie (sbeattie) wrote :

I was able to reproduce the issue with the version of apparmor-utils and python3-apparmor from trusty-updates, 2.8.95~2430-0ubuntu5.1, and can confirm that the version of each in trusty-proposed, 2.8.95~2430-0ubuntu5.2, fixes the issue. Marking verification-done.

tags: added: verification-done
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.95~2430-0ubuntu5.2

---------------
apparmor (2.8.95~2430-0ubuntu5.2) trusty-proposed; urgency=medium

  * debian/patches/php5-Zend_semaphore-lp1401084.patch: allow php5
    abstraction access to Zend opcache files (LP: #1401084)
  * debian/patches/dnsmasq-lxc_networking-lp1403468.patch: update
    profile for lxc support (LP: #1403468)
  * debian/patches/profiles-texlive_font_generation-lp1010909.patch:
    allow generation of texlive fonts by sanitized-helpers
    (LP: #1010909)
  * debian/apport/source_apparmor.py: fix the apparmor apport hook
    so it does not raise an exception if a non-unicode character is
    found in /var/log/kern.log or in /var/log/syslog. This should
    work under python3 or python2.7 (LP: #1304447)
  * debian/patches/profiles-dovecot-updates-lp1296667.patch: update
    dovecot profiles to address several missing permissions.
    (LP: #1296667)
  * debian/patches/profiles-adjust_X_for_lightdm-lp1339727.patch:
    adjust X abstraction for LightDM xauthority location (LP: #1339727)
  * debian/patches/libapparmor-fix_memory_leaks-lp1340927.patch; fix
    memory leaks in log parsing component of libapparmor (LP: #1340927)
  * debian/patches/libapparmor-another_audit_format-lp1399027.patch:
    add support for another log format style (LP: #1399027)
  * debian/patches/tests-workaround_for_unix_socket_change-lp1425398.patch:
    work around apparmor kernel behavioral change in regression tests
    (LP: #1425398)
  * debian/control: add breaks on python3-apparmor against older
    apparmor-utils that used to be where python bits lived
    (LP: #1373259)
  * debian/patches/utils-update_to_2.9.2.patch: update the python
    utilities to the upstream 2.9.2 (LP: #1449769, incorporating a
    large number of fixes and improvements, including:
    - fix aa-genprof traceback with apparmor 2.8.95 (LP: #1294797)
    - fix aa-genprof crashing when selecting scan on Ubuntu 14.04 server
      (LP: #1319829)
    - make aa-logprof read profile instead of program binary
      (LP: #1317176, LP: #1324154)
    - aa-complain: don't traceback when marking multiple profiles
      (LP: #1378095)
    - make python tools able to parse mounts with UTF-8 non-ascii
      characters (LP: #1310598)

 -- Steve Beattie <email address hidden> Thu, 30 Apr 2015 12:18:08 -0700

Changed in apparmor (Ubuntu Trusty):
status: Triaged → Fix Released
Revision history for this message
Adam Conrad (adconrad) wrote : Update Released

The verification of the Stable Release Update for apparmor has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.