Ubuntu
apparmor package

aa-logprof is trying to process a binary instead of the profile attached to the binary

Bug #1324154 reported by timdaman
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Medium
Marc Deslauriers

Bug Description

[impact]

This bug makes it difficult for trusty users to use the apparmor policy
utilities.

[steps to reproduce]

See below

[regression potential]

This issue is being addressed by updating the python utilities to the
version in apparmor 2.9.2 as tracked in bug 1449769. This represents are
large change which would normally be risky; however, these changes are
isolated to the python utils (so no changes to the policy parser/loader
or enforcement), there are a large number of bugs that exist in the
trusty version that make using the tools difficult, so it would be
difficult to regress further, and the updated version includes many new
unit tests to try to prevent from regressions from occurring.

[additional info]

The python utils testsuite is run as part of the test-apparmor.py test
script in lp:qa-regression-testing. The test-apparmor.py also has
additional basic usage tests to ensure that basic functionality is
maintained. These tests are run as part of the process fro each kernel
update.

[original description]

I am trying to profile apache2 with aa-logprof. As part of that I ran into the following problem

root@tim-X220:~# aa-logprof -m LOGMARK1
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Traceback (most recent call last):
  File "/usr/sbin/aa-logprof", line 52, in <module>
    apparmor.do_logprof_pass(logmark)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2262, in do_logprof_pass
    handle_children('', '', root)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1237, in handle_children
    sev_db.load_variables(profile)
  File "/usr/lib/python3/dist-packages/apparmor/severity.py", line 180, in load_variables
    for line in f_in:
  File "/usr/lib/python3.4/codecs.py", line 704, in __next__
    return next(self.reader)
  File "/usr/lib/python3.4/codecs.py", line 635, in __next__
    line = self.readline()
  File "/usr/lib/python3.4/codecs.py", line 548, in readline
    data = self.read(readsize, firstline=True)
  File "/usr/lib/python3.4/codecs.py", line 494, in read
    newchars, decodedbytes = self.decode(data, self.errors)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xc6 in position 24: invalid continuation byte

When I trace back I find that on line 1237 the path to binary is passed to "load_variables" when it expects the path to the profile related to a binary. As a result it opens the binary and tries to process it as a profile. I suspect this but will appear as a range of Unicode style errors depending on what executable is being passed.

The fix is fairly simple. On line 1237 change
   sev_db.load_variables(profile)
to
  sev_db.load_variables(get_profile_filename(profile))

Attached is a patch for this.

See original description
Revision history for this message
timdaman (timdaman-gmail) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "profile_path.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Christian Boltz (cboltz) wrote :

See also https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1317176

For the records: the first half of the patch is already included in bzr trunk, and the second half looks good ;-)

Revision history for this message
Christian Boltz (cboltz) wrote :

Commited to bzr r2519.

Changed in apparmor (Ubuntu):
status: New → Fix Committed
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released
Changed in apparmor (Ubuntu Trusty):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Marc Deslauriers (mdeslaur)
Steve Beattie (sbeattie)
description: updated
Revision history for this message
Steve Beattie (sbeattie) wrote :

I was able to reproduce the issue with the version of apparmor-utils and python-apparmor from trusty-updates, 2.8.95~2430-0ubuntu5.1, and can confirm that the version of each in trusty-proposed, 2.8.95~2430-0ubuntu5.2, fixes the issue. Marking verification-done.

tags: added: verification-done
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.95~2430-0ubuntu5.2

---------------
apparmor (2.8.95~2430-0ubuntu5.2) trusty-proposed; urgency=medium

  * debian/patches/php5-Zend_semaphore-lp1401084.patch: allow php5
    abstraction access to Zend opcache files (LP: #1401084)
  * debian/patches/dnsmasq-lxc_networking-lp1403468.patch: update
    profile for lxc support (LP: #1403468)
  * debian/patches/profiles-texlive_font_generation-lp1010909.patch:
    allow generation of texlive fonts by sanitized-helpers
    (LP: #1010909)
  * debian/apport/source_apparmor.py: fix the apparmor apport hook
    so it does not raise an exception if a non-unicode character is
    found in /var/log/kern.log or in /var/log/syslog. This should
    work under python3 or python2.7 (LP: #1304447)
  * debian/patches/profiles-dovecot-updates-lp1296667.patch: update
    dovecot profiles to address several missing permissions.
    (LP: #1296667)
  * debian/patches/profiles-adjust_X_for_lightdm-lp1339727.patch:
    adjust X abstraction for LightDM xauthority location (LP: #1339727)
  * debian/patches/libapparmor-fix_memory_leaks-lp1340927.patch; fix
    memory leaks in log parsing component of libapparmor (LP: #1340927)
  * debian/patches/libapparmor-another_audit_format-lp1399027.patch:
    add support for another log format style (LP: #1399027)
  * debian/patches/tests-workaround_for_unix_socket_change-lp1425398.patch:
    work around apparmor kernel behavioral change in regression tests
    (LP: #1425398)
  * debian/control: add breaks on python3-apparmor against older
    apparmor-utils that used to be where python bits lived
    (LP: #1373259)
  * debian/patches/utils-update_to_2.9.2.patch: update the python
    utilities to the upstream 2.9.2 (LP: #1449769, incorporating a
    large number of fixes and improvements, including:
    - fix aa-genprof traceback with apparmor 2.8.95 (LP: #1294797)
    - fix aa-genprof crashing when selecting scan on Ubuntu 14.04 server
      (LP: #1319829)
    - make aa-logprof read profile instead of program binary
      (LP: #1317176, LP: #1324154)
    - aa-complain: don't traceback when marking multiple profiles
      (LP: #1378095)
    - make python tools able to parse mounts with UTF-8 non-ascii
      characters (LP: #1310598)

 -- Steve Beattie <email address hidden> Thu, 30 Apr 2015 12:18:08 -0700

Changed in apparmor (Ubuntu Trusty):
status: Triaged → Fix Released
Revision history for this message
Adam Conrad (adconrad) wrote : Update Released

The verification of the Stable Release Update for apparmor has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.