scoperunner tries to access /proc/*/attr/current, denied by apparmor

I strongly suspect that the apparmor entries are normal. During start-up, the scopes run time calls aa_getcon() to figure out whether a scope is confined or not. I suspect that this is what's causing these denials. In other words, they are most likely normal and unrelated to your problem.

Jamie, I don't know how aa_getcon() is implemented. Would you expect to see failures from /proc/<uid>/attr/current? I know that reading that file returns the current profile, so I suspect aa_getcon() reads the /proc entry behind the scenes?

Scott, if your leaf scopes don't return results, I strongly suspect that something else isn't right, but I'm pretty sure that apparmor denials have nothing to do with this.

aa_getcon() does use /proc/<pid>/attr/current. The problem is, we can't allow apps to access this file because we cannot currently limit the pid to self. Ie, this is what we want:
  @{PROC}/self/attr/current r,

but this is what we must use now:
  @{PROC}/[0-9]*/attr/current r,

Therefore, if we allowed that ^, an app could easily enumerate what apps are installed on the device, which constitutes an information disclosure issue. That said, I can happily silence the denial with:
  deny @{PROC}/[0-9]*/attr/current r,

if the scopes runner can handle this well. Note, I'm pretty sure we pointed you at aa_getcon(), however we didn't expect it to be run from within a confined scope process.

Thanks for the comments Jamie. We call aa_getcon() to figure out whether we are running confined or not:

    // Find out whether we are confined. aa_getcon() returns -1 in that case.
    char* con = nullptr;
    char* mode;
    int rc = aa_getcon(&con, &mode);
    // Only con (not mode) must be deallocated
    free(con);
    confinement_type = rc == -1 ? "leaf-net" : "unconfined";

If you want to silence the denial in the logs, that's cool with me. We just rely on aa_getcon() returning -1 if we are confined. So, as long as the return value doesn't change, I'm good with silencing it (but I don't have a problem with the log entry per se either).

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.2.23

---------------
apparmor-easyprof-ubuntu (1.2.23) utopic; urgency=medium

  * ubuntu-scope-network:
    - don't needlessly escape '-' in zmq access rule
    - silence @{PROC}/[0-9]*/attr/current denial since the scopes runner uses
      aa_getcon() and the denial is noisy (LP: #1367264)
  * ubuntu-webapp: explicitly deny noisy denial to dbus bind on
    org.freedesktop.Application
  * debian/apparmor-easyprof-ubuntu.postinst: update the cached .md5sums file
    on upgrade to avoid running on install and then again on first boot after
    upgrade. This change only affects apt upgrades and not system-image
    upgrades since system-image upgrades always use the existing .md5sums if
    they exist (see /etc/system-image/writable-paths).
 -- Jamie Strandboge <email address hidden> Wed, 10 Sep 2014 08:54:28 -0500