AppArmor

abstractions/python not including /usr/include/python folders

Bug #840734 reported by Hani B on 2011-09-04

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	Fix Released	Medium	Unassigned

Bug Description

Binary package hint: apparmor

How to find:

hani@JustD:~$ cat /home/hani/myapp
#! /usr/bin/python
hani@JustD:~$ sudo aa-autodep /home/hani/myapp
hani@JustD:~$ chmod +x myapp
hani@JustD:~$ ./myapp

hani@JustD:~$ sudo aa-logprof home.hani.myapp
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Complain-mode changes:

Profile: /home/hani/myapp
Path: /usr/include/python2.7/pyconfig.h
Mode: r
Severity: unknown

abstractions/python doesn't include the python folders in /usr/include. These are:
/usr/include/python2.6
/usr/include/python2.6_d
/usr/include/python2.7
/usr/include/python2.7_d
/usr/include/python3.1
/usr/include/python3.2mu

Fix: Adding /usr/include/python{2,3}.[0-7]*/** r, to /etc/apparmor.d/abstractions/python

I've attached a diff for that.

Tags:

Related branches

lp:apparmor/2.12

lp:ubuntu/precise/apparmor

lp:~kees/apparmor/debian

Revision history for this message

Hani B (kroosec-deactivatedaccount) wrote on 2011-09-04:

Diff to add /usr/include/python folders Edit (54 bytes, text/plain)

Revision history for this message

Felix Geyer (debfx) wrote on 2011-11-30:

Indeed even a minimalistic python application reads pyconfig.h so adding something like this to abstractions/python would be a very good idea:

/usr/include/python2.[4567]/pyconfig.h r,

Revision history for this message

Steve Beattie (sbeattie) wrote on 2011-11-30:

Thanks, I've added

/usr/include/python{2,3}.[0-7]*/pyconfig.h r,

to the python abstraction (lp:apparmor commit 1854). It's unclear to me why the python runtimes would need access to this or other headers. Please reopen this bug if turns up that access to other headers is necessary.