Log contains unknown mode senw

Bug #1582374 reported by Neil
30
This bug affects 5 people
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Undecided
Christian Boltz
2.10
Fix Released
Undecided
Christian Boltz
apparmor (Ubuntu)
Fix Released
Medium
Tyler Hicks
Xenial
Fix Released
Medium
Tyler Hicks

Bug Description

[Impact]

AppArmor policy developers cannot use aa-logprof without it exiting with a traceback on certain denial messages.

[Test Case]

$ echo 'type=AVC msg=audit(1463403689.381:267599): apparmor="ALLOWED" \
operation="file_perm" profile="foo" pid=13215 comm="apache2" \
laddr=::ffff:192.168.1.100 lport=80 faddr=::ffff:192.168.1.100 fport=45658 \
family="inet6" sock_type="stream" protocol=6 requested_mask="send" \
denied_mask="send"' > /tmp/log
$ mkdir -p /tmp/profiles && printf "profile foo {\n}" > /tmp/profiles/foo
$ aa-logprof -f /tmp/log -d /tmp/profiles

Expected output of the last command is:

Reading log entries from /tmp/log.
Updating AppArmor profiles in /tmp/profiles.

[Regression Potential]

There is little potential for regression. This "hotfix" could result in some slight confusion because the problematic denial messages will simply be ignored but it allows aa-logprof to do its intended job without unexpectedly exiting.

[Original Report]

Ref #1243932. Same title but appears to be different cause.

Ubuntu 16.04. Error thrown on 'sudo aa-logprof'

Python 3.5.1+: /usr/bin/python3
Mon May 16 20:13:30 2016

A problem occurred in a Python script. Here is the sequence of
function calls leading up to the error, in the order they occurred.

 /usr/sbin/aa-logprof in <module>()
   42
   43 if profiledir:
   44 apparmor.profile_dir = apparmor.get_full_path(profiledir)
   45 if not os.path.isdir(apparmor.profile_dir):
   46 raise apparmor.AppArmorException("%s is not a directory."%profiledir)
   47
   48 apparmor.loadincludes()
   49
   50 apparmor.do_logprof_pass(logmark)
   51
apparmor = <module 'apparmor.aa' from '/usr/lib/python3/dist-packages/apparmor/aa.py'>
apparmor.do_logprof_pass = <function do_logprof_pass>
logmark = ''

 /usr/lib/python3/dist-packages/apparmor/aa.py in do_logprof_pass(logmark='', passno=0, pid={13215: [['unknown_hat', 13215, '/usr/sbin/apache2', 'null-www.xxxxxxxxxx.co.uk', 'PERMITTING', 'null-www.xxxxxxxxxx.co.uk'], ['path', 13215, 'null-complain-profile', 'null-complain-profile', 'HINT', 'PERMITTING', {'::r', 'r'}, '/proc/13215/attr/current', '']], 13697: [['path', 13697, 'null-complain-profile', 'null-complain-profile', 'HINT', 'PERMITTING', {'::a', '::w', 'a', 'w'}, '/proc/13697/attr/current', '']]})
 2184 ## repo_cfg = read_config('repository.conf')
 2185 ## if not repo_cfg['repository'].get('enabled', False) or repo_cfg['repository]['enabled'] not in ['yes', 'no']:
 2186 ## UI_ask_to_enable_repo()
 2187
 2188 log_reader = apparmor.logparser.ReadLog(pid, logfile, existing_profiles, profile_dir, log)
 2189 log = log_reader.read_log(logmark)
 2190 #read_log(logmark)
 2191
 2192 for root in log:
 2193 handle_children('', '', root)
global log = [[['path', 13697, 'null-complain-profile', 'null-complain-profile', 'HINT', 'PERMITTING', {'::a', '::w', 'a', 'w'}, '/proc/13697/attr/current', '']], [['unknown_hat', 13215, '/usr/sbin/apache2', 'null-www.po4management.co.uk', 'PERMITTING', 'null-www.xxxxxxxxxx.co.uk'], ['path', 13215, 'null-complain-profile', 'null-complain-profile', 'HINT', 'PERMITTING', {'::r', 'r'}, '/proc/13215/attr/current', '']]]
log_reader = <apparmor.logparser.ReadLog object>
log_reader.read_log = <bound method ReadLog.read_log of <apparmor.logparser.ReadLog object>>
logmark = ''

 /usr/lib/python3/dist-packages/apparmor/logparser.py in read_log(self=<apparmor.logparser.ReadLog object>, logmark='')
  402 self.add_event_to_tree(event)
  403 except AppArmorException as e:
  404 ex_msg = ('%(msg)s\n\nThis error was caused by the log line:\n%(logline)s' %
  405 {'msg': e.value, 'logline': line})
  406 # when py3 only: Drop the original AppArmorException by passing None as the parent exception
  407 raise AppArmorBug(ex_msg) # py3-only: from None
  408
  409 self.LOG.close()
  410 self.logmark = ''
  411 return self.log
global AppArmorBug = <class 'apparmor.common.AppArmorBug'>
ex_msg = 'Log contains unknown mode senw\n\nThis error was c...otocol=6 requested_mask="send" denied_mask="send"'
AppArmorBug: Log contains unknown mode senw

This error was caused by the log line:
type=AVC msg=audit(1463403689.381:267599): apparmor="ALLOWED" operation="file_perm" profile="/usr/sbin/apache2//null-www.xxxxxxxxxx.co.uk" pid=13215 comm="apache2" laddr=::ffff:192.168.1.100 lport=80 faddr=::ffff:192.168.1.100 fport=45658 family="inet6" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send"
    __cause__ = None
    __class__ = <class 'apparmor.common.AppArmorBug'>
    __context__ = AppArmorException('Log contains unknown mode senw',)
    __delattr__ = <method-wrapper '__delattr__' of AppArmorBug object>
    __dict__ = {}
    __dir__ = <built-in method __dir__ of AppArmorBug object>
    __doc__ = 'This class represents AppArmor exceptions "that should never happen"'
    __eq__ = <method-wrapper '__eq__' of AppArmorBug object>
    __format__ = <built-in method __format__ of AppArmorBug object>
    __ge__ = <method-wrapper '__ge__' of AppArmorBug object>
    __getattribute__ = <method-wrapper '__getattribute__' of AppArmorBug object>
    __gt__ = <method-wrapper '__gt__' of AppArmorBug object>
    __hash__ = <method-wrapper '__hash__' of AppArmorBug object>
    __init__ = <method-wrapper '__init__' of AppArmorBug object>
    __le__ = <method-wrapper '__le__' of AppArmorBug object>
    __lt__ = <method-wrapper '__lt__' of AppArmorBug object>
    __module__ = 'apparmor.common'
    __ne__ = <method-wrapper '__ne__' of AppArmorBug object>
    __new__ = <built-in method __new__ of type object>
    __reduce__ = <built-in method __reduce__ of AppArmorBug object>
    __reduce_ex__ = <built-in method __reduce_ex__ of AppArmorBug object>
    __repr__ = <method-wrapper '__repr__' of AppArmorBug object>
    __setattr__ = <method-wrapper '__setattr__' of AppArmorBug object>
    __setstate__ = <built-in method __setstate__ of AppArmorBug object>
    __sizeof__ = <built-in method __sizeof__ of AppArmorBug object>
    __str__ = <method-wrapper '__str__' of AppArmorBug object>
    __subclasshook__ = <built-in method __subclasshook__ of type object>
    __suppress_context__ = False
    __traceback__ = <traceback object>
    __weakref__ = None
    args = ('Log contains unknown mode senw\n\nThis error was c...otocol=6 requested_mask="send" denied_mask="send"',)
    with_traceback = <built-in method with_traceback of AppArmorBug object>

The above is a description of an error in a Python program. Here is
the original traceback:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 402, in read_log
    self.add_event_to_tree(event)
  File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 206, in add_event_to_tree
    e = self.parse_event_for_tree(e)
  File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 303, in parse_event_for_tree
    raise AppArmorException(_('Log contains unknown mode %s') % rmask)
apparmor.common.AppArmorException: 'Log contains unknown mode senw'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/sbin/aa-logprof", line 50, in <module>
    apparmor.do_logprof_pass(logmark)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2189, in do_logprof_pass
    log = log_reader.read_log(logmark)
  File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 407, in read_log
    raise AppArmorBug(ex_msg) # py3-only: from None
apparmor.common.AppArmorBug: Log contains unknown mode senw

This error was caused by the log line:
type=AVC msg=audit(1463403689.381:267599): apparmor="ALLOWED" operation="file_perm" profile="/usr/sbin/apache2//null-www.xxxxxxxxxx.co.uk" pid=13215 comm="apache2" laddr=::ffff:192.168.1.100 lport=80 faddr=::ffff:192.168.1.100 fport=45658 family="inet6" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send"

Revision history for this message
Christian Boltz (cboltz) wrote :

This is mostly a duplicate of bug 1577051, except that your log message contains "send" instead of "receive" ;-)

tags: added: aa-tools
Revision history for this message
Christian Boltz (cboltz) wrote :

Hotfix commited to bzr trunk r3460, 2.10 branch r3333 and 2.9 branch r3011.

This hotfix avoids the crash by ignoring these events. The long-term fix will be to handle these events as what they are - network events, but that will need some bigger changes.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu Xenial):
status: New → Confirmed
Changed in apparmor (Ubuntu):
status: New → Confirmed
Revision history for this message
cooloutac (cooloutac) wrote :

I have the issue as well, newly installed kubuntu 16.04.

Revision history for this message
cooloutac (cooloutac) wrote :

How do I apply the above mentioned hotfix?

Writing updated profile for /usr/bin/konversation.
Setting /usr/bin/konversation to complain mode.

Before you begin, you may wish to check if a
profile already exists for the application you
wish to confine. See the following wiki page for
more information:
http://wiki.apparmor.net/index.php/Profiles

Please start the application to be profiled in
another window and exercise its functionality now.

Once completed, select the "Scan" option below in
order to scan the system logs for AppArmor events.

For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.

Profiling: /usr/bin/konversation

[(S)can system log for AppArmor events] / (F)inish
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 402, in read_log
self.add_event_to_tree(event)
File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 206, in add_event_to_tree
e = self.parse_event_for_tree(e)
File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 303, in parse_event_for_tree
raise AppArmorException(_('Log contains unknown mode %s') % rmask)
apparmor.common.AppArmorException: 'Log contains unknown mode senw'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/sbin/aa-genprof", line 151, in <module>
lp_ret = apparmor.do_logprof_pass(logmark, passno)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2189, in do_logprof_pass
log = log_reader.read_log(logmark)
File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 407, in read_log
raise AppArmorBug(ex_msg) # py3-only: from None
apparmor.common.AppArmorBug: Log contains unknown mode senw

This error was caused by the log line:
Jul 6 12:31:45 kernel: [ 1585.343460] audit: type=1400 audit(1467822705.150:668): apparmor="ALLOWED" operation="file_perm" profile="/usr/bin/konversation" pid=6877 comm="konversation" laddr=192.168.1.22 lport=58236 faddr=164.132.77.237 fport=6697 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send"

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.10.95-4ubuntu2

---------------
apparmor (2.10.95-4ubuntu2) yakkety; urgency=medium

  * Drop the following change now that click-apparmor has been updated:
    - Continue installing aa-exec into /usr/sbin/ for now since
      click-apparmor's aa-exec-click autopkgtest expects it to be there
  * debian/patches/allow-stacking-tests-to-use-system.patch,
    debian/patches/r3430-allow-stacking-tests-to-use-system.patch: Replace
    patch with the final version that landed upstream and annotate the patch
    headers accordingly
  * debian/patches/r3460-ignore-file-events-with-send-or-receive-request.patch:
    Prevent an aa-logprof crash by ignoring file events that contains
    send or receive in the request mask. (LP: #1577051, LP: #1582374)
  * debian/patches/r3463-r3475-change-profile-exec-modes.patch: Allow policy
    authors to specify if the environment should scrubbed during exec
    transitions allowed by a change_profile rule. (LP: #1584069)
  * debian/patches/r3478-make-overlapping-safe-and-unsafe-rules-conflict.patch:
    Make sure that multiple change_profile rules with overlapping safe and
    unsafe exec modes conflict when they share the same exec conditional
    (LP: #1588069)
  * debian/patches/r3479-create-fcitx-abstractions.patch: Include fcitx and
    fcitx-strict abstractions that fcitx client profiles can reuse.
  * debian/control: Do a conffile move of /etc/apparmor.d/abstractions/fcitx
    from the fcitx-data to apparmor by setting up the correct Breaks and
    Replaces.
  * debian/patches/r3480-create-mozc-abstraction.patch: Include a mozc
    abstraction that mozc client profiles can reuse.
  * debian/patches/r3488-r3489-fix-racy-onexec-test.patch: Fix racy regression
    test so that the kernel SRU process is not interrupted by the onexec.sh
    periodically failing
  * debian/patches/r3490-utils-handle-change-profile-exec-modes.patch: Update
    the Python utilities to handle the new exec mode keywords in
    change_profile rules. (LP: #1584069)
  * debian/patches/r3492-allow-dbus-user-session-path.patch: Allow read/write
    access to the dbus-user-session socket file. (LP: #1604872)

 -- Tyler Hicks <email address hidden> Tue, 26 Jul 2016 23:03:05 -0500

Changed in apparmor (Ubuntu):
status: Confirmed → Fix Released
Tyler Hicks (tyhicks)
description: updated
Changed in apparmor (Ubuntu):
importance: Undecided → Medium
Changed in apparmor (Ubuntu Xenial):
importance: Undecided → Medium
assignee: nobody → Tyler Hicks (tyhicks)
Changed in apparmor (Ubuntu):
assignee: nobody → Tyler Hicks (tyhicks)
Changed in apparmor (Ubuntu Xenial):
status: Confirmed → In Progress
Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Hello Neil, or anyone else affected,

Accepted apparmor into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apparmor/2.10.95-0ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in apparmor (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Martin Pitt (pitti) wrote :

Hello Neil, or anyone else affected,

Accepted apparmor into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apparmor/2.10.95-0ubuntu2.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Tyler Hicks (tyhicks) wrote :

I've thoroughly tested apparmor 2.10.95-0ubuntu2.2 in xenial-proposed. I've verified that this bug is fixed (via the Test Case in the description) and I've also went through the AppArmor Test Plan (excluding the Ubuntu Touch specific tests):

  https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor

The Test Plan includes running the entire set of upstream AppArmor tests, a number of integration tests, libvirt tests, LXC/LXD tests, docker.io tests, Snappy confinement tests, etc.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Christian Boltz (cboltz) wrote :

This bugreport is getting quite long ;-) and starts to get confusing.

I just opened https://bugs.launchpad.net/apparmor/+bug/1613061 as reminder that logparser.py needs to switch based on the event details instead of the operation= keyword.

The crashes reported in this bug are (hot)fixed in all supported releases (see the exact commits in the comments above), therefore I'm closing this bug.

Changed in apparmor:
status: New → Fix Released
milestone: none → 2.11
status: Fix Released → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.10.95-0ubuntu2.2

---------------
apparmor (2.10.95-0ubuntu2.2) xenial; urgency=medium

  * r3498-r3499-ignore-net-events-that-look-like-file-events.patch: Prevent an
    aa-logprof crash by ignoring file events that contains send *and* receive
    in the request mask. This is an improvement to the previous fix that only
    addressed events that contained send *or* receive.
    (LP: #1577051, LP: #1582374)
    - debian/rules: Create a new empty file, needed for the test added by this
      patch, since quilt is unable to do so.

 -- Tyler Hicks <email address hidden> Mon, 01 Aug 2016 18:03:36 -0500

Changed in apparmor (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for apparmor has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Christian Boltz (cboltz) wrote :

"Real fix" (which decides about file vs. network instead of ignoring these events) implemented in bzr trunk r3594 and 2.10 branch r3369.

Changed in apparmor:
assignee: nobody → Christian Boltz (cboltz)
Christian Boltz (cboltz)
Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.