apparmor apport hook should use root_command_hook() for running apparmor_status

Bug #655529 reported by Steve Beattie
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Low
Jamie Strandboge
Lucid
Fix Released
Low
Jamie Strandboge
Maverick
Fix Released
Low
Jamie Strandboge
Natty
Fix Released
Low
Jamie Strandboge

Bug Description

SRU

1. impact of the bug is minimal for stable releases, since apport is disabled by default. However, being able to run 'ubuntu-bug', 'apport-bug' or 'apport-collect' is useful for developers trying to get more information from users.

2. This has not been addressed in the development branch (it isn't open yet).

3. Patch is very small. See comment #1.

4. TEST CASE:
As non-root:
$ apport-bug apparmor --save /tmp/apport.txt

You should be prompted by sudo at this point.

5. The regression potential of the patch is very low, as it updates the apport hook which is not enabled by default in the stable releases.

Binary package hint: apparmor

When generating a bug report about apparmor, if apport is run as non-root, the apparmor_status program fails because it needs privilege to read the loaded state of the apparmor policies. This results in the ApparmorStatusOutput containing the following:

  Error: command /usr/sbin/apparmor_status failed with exit code 4: You do not have enough privilege to read the profile set.
  apparmor module is loaded.

(as it is in this bug report). The invocation of apparmor_status in the apport hook should be converted to use root_command_hook so that, if the user is capable of running with privilege, they can include the status output.

The attached patch does this.

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: apparmor 2.5.1~rc1-0ubuntu2
ProcVersionSignature: Ubuntu 2.6.35-22.33-generic-pae 2.6.35.4
Uname: Linux 2.6.35-22-generic-pae i686
ApparmorStatusOutput:
 Error: command /usr/sbin/apparmor_status failed with exit code 4: You do not have enough privilege to read the profile set.
 apparmor module is loaded.
Architecture: i386
Date: Tue Oct 5 23:54:54 2010
InstallationMedia: Ubuntu-Server 10.10 "Maverick Meerkat" - Alpha i386 (20100916)
ProcEnviron:
 SHELL=/bin/bash
 LANG=en_US.UTF-8
SourcePackage: apparmor

Revision history for this message
Steve Beattie (sbeattie) wrote :
tags: added: patch
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

SRU

1. impact of the bug is minimal for stable releases, since apport is disabled by default. However, being able to run 'ubuntu-bug', 'apport-bug' or 'apport-collect' is useful for developers trying to get more information from users.

2. This has not been addressed in the development branch (it isn't open yet).

3. Patch is very small. See comment #1.

4. TEST CASE:
As non-root:
$ apport-bug -p apparmor --save /tmp/apport.txt

You should be prompted by sudo at this point.

5. The regression potential of the patch is very low, as it updates the apport hook which is not enabled by default in the stable releases.

Changed in apparmor (Ubuntu Maverick):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Low
milestone: none → maverick-updates
status: New → Fix Committed
status: Fix Committed → In Progress
Changed in apparmor (Ubuntu Natty):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Low
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Uploaded 2.5.1-0ubuntu0.10.10.1 to maverick-proposed.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.5.1-0ubuntu1

---------------
apparmor (2.5.1-0ubuntu1) natty; urgency=low

  * New upstream release (LP: #660077)
    - The following patches were refreshed:
      + 0001-fix-release.patch
      + 0003-local-includes.patch
      + 0008-lp648900.patch: renamed as 0005-lp648900.patch
    - The following patches were dropped (included upstream):
      + 0005-lp601583.patch
      + 0006-network-interface-enumeration.patch
      + 0007-gnome-updates.patch
  * debian/patches/0006-testsuite-fixes.patch: testsuite fixes from head
    of 2.5 branch. These are needed for QRT and SRU testing (LP: #652211)
  * debian/patches/0007-honor-cflags.patch: have the parser makefile honor
    CFLAGS environment variable. Brings back missing symbols for the retracer
  * debian/patches/0008-lp652674.patch: fix warnings for messages without
    denied or requested masks (LP: #652674)
  * debian/apparmor.init: fix path to aa-status (LP: #654841)
  * debian/apport/source_apparmor.py: apport hook should use
    root_command_hook() for running apparmor_status (LP: #655529)
  * debian/apport/source_apparmor.py: use ProcKernelCmdline and don't clobber
    cmdline details (LP: #657091)
 -- Jamie Strandboge <email address hidden> Fri, 15 Oct 2010 12:23:00 -0500

Changed in apparmor (Ubuntu Natty):
status: Triaged → Fix Released
Changed in apparmor (Ubuntu Lucid):
status: New → In Progress
importance: Undecided → Low
milestone: none → lucid-updates
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Uploaded 2.5.1-0ubuntu0.10.04.1 to lucid-proposed.

Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Accepted apparmor into maverick-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in apparmor (Ubuntu Maverick):
status: In Progress → Fix Committed
tags: added: verification-needed
description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Upgraded to 2.5.1-0ubuntu0.10.10.2 in two clean up to date VMs (amd64 and i386) and this issue is resolved.

description: updated
Martin Pitt (pitti)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.5.1-0ubuntu0.10.10.2

---------------
apparmor (2.5.1-0ubuntu0.10.10.2) maverick-proposed; urgency=low

  * New upstream release (LP: #660077)
    - The following patches were refreshed:
      + 0001-fix-release.patch
      + 0003-local-includes.patch
      + 0004-ubuntu-abstractions-updates.patch
      + 0008-lp648900.patch: renamed as 0005-lp648900.patch
    - The following patches were dropped (included upstream):
      + 0005-lp601583.patch
      + 0006-network-interface-enumeration.patch
      + 0007-gnome-updates.patch
  * debian/patches/0006-testsuite-fixes.patch: testsuite fixes from head
    of 2.5 branch. These are needed for QRT and SRU testing (LP: #652211)
  * debian/patches/0007-honor-cflags.patch: have the parser makefile honor
    CFLAGS environment variable. Brings back missing symbols for the retracer
  * debian/patches/0008-lp652674.patch: fix warnings for messages without
    denied or requested masks (LP: #652674)
  * debian/apparmor.init: fix path to aa-status (LP: #654841)
  * debian/apport/source_apparmor.py: apport hook should use
    root_command_hook() for running apparmor_status (LP: #655529)
  * debian/apport/source_apparmor.py: use ProcKernelCmdline and don't clobber
    cmdline details (LP: #657091)
  * debian/{rules,control}: move apache2 abstractions into the base package
    so we can put apache2 profiles into the -profiles package without
    aa-logprof bailing out. Patch by Marc Deslauriers.
    (LP: #539441)
  * debian/patches/0009-sensible-browser-pix.patch: use Pix with
    sensible-browser
  * debian/patches/0010-ubuntu-buildd.patch: skip parser caching test if
    the AppArmor securityfs introspection directory is not mounted, as
    is the case on Ubuntu buildds.
 -- Jamie Strandboge <email address hidden> Tue, 02 Nov 2010 12:04:06 -0500

Changed in apparmor (Ubuntu Maverick):
status: Fix Committed → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

Accepted apparmor into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in apparmor (Ubuntu Lucid):
status: In Progress → Fix Committed
tags: removed: verification-done
tags: added: verification-needed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Upgraded to 2.5.1-0ubuntu0.10.04.1 in lucid-proposed and this issue is resolved.

Martin Pitt (pitti)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (10.1 KiB)

This bug was fixed in the package apparmor - 2.5.1-0ubuntu0.10.04.1

---------------
apparmor (2.5.1-0ubuntu0.10.04.1) lucid-proposed; urgency=low

  * Backport 2.5.1-0ubuntu0.10.10.1 from maverick for userspace tools to work
    with newer kernels (LP: #660077)
    NOTE: user-tmp now uses 'owner' match, so non-default profiles will have
    to be adjusted when 2 separately confined applications that both use the
    user-tmp abstraction depend on being able to cooperatively share files
    with each other in /tmp or /var/tmp.
  * remove the following patches (features not appropriate for SRU):
    - 0002-add-chromium-browser.patch
    - 0003-local-includes.patch
    - 0004-ubuntu-abstractions-updates.patch
  * debian/rules (this makes it the same as what was shipped in 10.04 LTS
    release):
    - don't ship aa-update-browser and its man page (requires
      0004-ubuntu-abstractions-updates.patch)
    - don't ship apparmor.d/local/ (requires 0003-local-includes.patch)
    - don't use dh_apparmor (not in Ubuntu 10.04 LTS)
    - don't ship chromium profile
  * remove debian/profiles/chromium-browser
  * remove debian/aa-update-browser*
  * debian/apparmor-profiles.postinst: revert to that in lucid release
    (requires dh_apparmor and 0002-add-chromium-browser.patch)
  * remove debian/apparmor-profiles.postrm: doesn't make sense without
    0002-add-chromium-browser.patch
  * debian/control:
    - revert Build-Depends on debhelper (>= 5)
    - revert Standards-Version to 3.8.4
    - revert Vcs-Bzr
    - use Conflicts/Replaces version that was in Ubuntu 10.04 LTS
  * debian/patches/0011-lucid-compat-dbus.patch: move /var/lib/dbus/machine-id
    back into dbus, since profiles on 10.04 LTS expect it there
  * debian/patches/0012-lucid-compat-kde.patch: add kde4-config to kde
    abstraction, since the firefox profile on Ubuntu 10.04 LTS expects it to
    be there

apparmor (2.5.1-0ubuntu0.10.10.2) maverick-proposed; urgency=low

  * New upstream release (LP: #660077)
    - The following patches were refreshed:
      + 0001-fix-release.patch
      + 0003-local-includes.patch
      + 0004-ubuntu-abstractions-updates.patch
      + 0008-lp648900.patch: renamed as 0005-lp648900.patch
    - The following patches were dropped (included upstream):
      + 0005-lp601583.patch
      + 0006-network-interface-enumeration.patch
      + 0007-gnome-updates.patch
  * debian/patches/0006-testsuite-fixes.patch: testsuite fixes from head
    of 2.5 branch. These are needed for QRT and SRU testing (LP: #652211)
  * debian/patches/0007-honor-cflags.patch: have the parser makefile honor
    CFLAGS environment variable. Brings back missing symbols for the retracer
  * debian/patches/0008-lp652674.patch: fix warnings for messages without
    denied or requested masks (LP: #652674)
  * debian/apparmor.init: fix path to aa-status (LP: #654841)
  * debian/apport/source_apparmor.py: apport hook should use
    root_command_hook() for running apparmor_status (LP: #655529)
  * debian/apport/source_apparmor.py: use ProcKernelCmdline and don't clobber
    cmdline details (LP: #657091)
  * debian/{rules,control}: move apache2 abstractions into the base package
    so we can put ...

Changed in apparmor (Ubuntu Lucid):
status: Fix Committed → Fix Released
tags: added: testcase
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.