Ubuntu
apparmor package

aa-logprof wrongly transforms PUx to UPx

Bug #982619 reported by Julian Taylor
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
High
Steve Beattie
Ubuntu precise-updates
Precise
Fix Released
High
Steve Beattie
Ubuntu precise-updates

Bug Description

apparmor accepts the PUx qualifier
but when aa-logprof updates a profile that uses that it transforms it to UPx which apparmor does not accept.
It then complains:
AppArmor parser error for /etc/apparmor.d/home.jtaylor.tmp.test.sh in /etc/apparmor.d/home.jtaylor.tmp.test.sh at line 22: syntax error, unexpected TOK_ID, expecting TOK_MODE

e.g.
#include <tunables/global>

/home/jtaylor/tmp/test.sh {
  #include <abstractions/base>
  #include <abstractions/bash>

  /usr/bin/gedit rPUx,

}

put something else than gedit in /home/jtaylor/tmp/test.sh and run logprof and it will break the profile.

apparmor version: 2.7.102-0ubuntu3 in 12.04

See original description
Julian Taylor (jtaylor)
description: updated
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
importance: Undecided → Critical
importance: Critical → High
status: New → Triaged
assignee: nobody → Steve Beattie (sbeattie)
tags: added: rls-p-tracking
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu Precise):
milestone: none → precise-updates
Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks, I've reproduced the issue and am trying to track down where things are going wrong.

Changed in apparmor (Ubuntu Precise):
status: Triaged → In Progress
Revision history for this message
Steve Beattie (sbeattie) wrote :

This was addressed in Ubuntu 12.10 with the 2.8.0-0ubuntu1 package. I'll include a fix for this for 12.04 LTS in an SRU.

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Dave Walker (davewalker) wrote : Please test proposed package

Hello Julian, or anyone else affected,

Accepted apparmor into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/apparmor/2.7.102-0ubuntu3.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in apparmor (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Julian Taylor (jtaylor) wrote :

the fix is working in precise

tags: added: verification-done
removed: verification-needed
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Verified apparmor-utils in proposed fixes this issue on precise.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

See also https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1214979

Revision history for this message
Seth Arnold (seth-arnold) wrote :

apparmor 2.7.102-0ubuntu3.8 has been superceded by apparmor 2.7.102-0ubuntu3.9 in -proposed and needs new verification.

tags: added: verification-needed
removed: verification-done
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.7.102-0ubuntu3.8

---------------
apparmor (2.7.102-0ubuntu3.8) precise-proposed; urgency=low

  * 0022-aa-logprof-PUx_rewrite_fix-lp982619.patch: fix aa-logprof
    rewrite of PUx modes (LP: #982619)
  * 0023-lp1091642-parser-reset_matchflags.patch: prevent reuse of
    matchflags in parser dfa backend and add testcase demonstrating
    the problem (LP: #1091642)
  * 0024-profiles-allow_exo-open-lp987578.patch: allow exo-open to work
    within ubuntu-integration (LP: #987578)
 -- Steve Beattie <email address hidden> Thu, 24 Jan 2013 11:40:48 -0800

Changed in apparmor (Ubuntu Precise):
status: Fix Committed → Fix Released
Seth Arnold (seth-arnold)
tags: added: verification-done
removed: verification-needed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.