Ubuntu
apparmor package

aa-logprof crash on #include <directory>

Bug #1471425 reported by Christian Boltz
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Undecided
Christian Boltz
AppArmor 2.10
2.9
Fix Released
Undecided
Unassigned
AppArmor 2.9.3
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

aa-logprof crashes on profiles that contain an #include <directory> _if_ there are events for this profile.

2.9 crash:

# aa-logprof -f /tmp/syslog
Lese Logeinträge von /tmp/syslog.
Aktualisiere AppArmor-Profile in /etc/apparmor.d.
Traceback (most recent call last):
  File "aa-logprof", line 54, in <module>
    apparmor.do_logprof_pass(logmark)
  File "/home/cb/apparmor/2.9-branch/utils/apparmor/aa.py", line 2297, in do_logprof_pass
    collapse_log()
  File "/home/cb/apparmor/2.9-branch/utils/apparmor/aa.py", line 2533, in collapse_log
    if not profile_known_network(aa[profile][hat], family, sock_type):
  File "/home/cb/apparmor/2.9-branch/utils/apparmor/aa.py", line 4394, in profile_known_network
    if netrules_access_check(include[incname][incname]['deny']['netdomain'], family, sock_type):
KeyError: 'apache2.d'

trunk crash:

# aa-logprof -f /tmp/syslog
Lese Logeinträge von /tmp/syslog.
Aktualisiere AppArmor-Profile in /etc/apparmor.d.
Traceback (most recent call last):
  File "aa-logprof", line 50, in <module>
    apparmor.do_logprof_pass(logmark)
  File "/home/cb/apparmor/HEAD-clean/utils/apparmor/aa.py", line 2189, in do_logprof_pass
    collapse_log()
  File "/home/cb/apparmor/HEAD-clean/utils/apparmor/aa.py", line 2426, in collapse_log
    if not is_known_rule(aa[profile][hat], 'network', NetworkRule(family, sock_type)):
  File "/home/cb/apparmor/HEAD-clean/utils/apparmor/aa.py", line 4099, in is_known_rule
    if include[incname][incname].get(rule_type, False):
KeyError: 'apache2.d'

Reproducer: (slightly faked log event, apache didn't request network raw)

aa-logprof -f <(echo 'Jul 2 06:39:54 piorun kernel: [5579093.070893] audit: type=1400 audit(1435811994.122:696484): apparmor="ALLOWED" operation="accept" profile="/usr/sbin/apache2" pid=18852 comm="apache2" lport=443 family="inet6" sock_type="raw" protocol=6')

Note: If you test with old logs, it doesn't happen always because is_known_rule() / profile_known_*() exits as soon as it finds a match, and the order of include files is random - which means it doesn't always loop until it hits the directory include.

I'm afraid that this affects the profile_known_*() functions for all rule types.

Tags: aa-tools
Christian Boltz (cboltz)
tags: added: aa-tools
Revision history for this message
Christian Boltz (cboltz) wrote :

patches for trunk sent to ML.

Changed in apparmor:
status: New → In Progress
assignee: nobody → Christian Boltz (cboltz)
Revision history for this message
Christian Boltz (cboltz) wrote :

Patch for 2.9 also sent to ML.

Note that the trunk patch actually honors the content of the include directory, while the 2.9 patch "just" avoids the crash.

Revision history for this message
Christian Boltz (cboltz) wrote :

Patches commited to trunk and 2.9.

Changed in apparmor:
status: In Progress → Fix Committed
milestone: none → 2.9.3
Christian Boltz (cboltz)
Changed in apparmor:
milestone: 2.9.3 → 2.10
Revision history for this message
Steve Beattie (sbeattie) wrote :

AppArmor 2.10 has been released: https://launchpad.net/apparmor/2.10/2.10

Changed in apparmor:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.10-0ubuntu2

---------------
apparmor (2.10-0ubuntu2) wily; urgency=medium

  * debian/patches/aa-status-dont_require_python3-apparmor.patch:
    make aa-status(8) work even when python3-apparmor is not installed,
    otherwise dh_apparmor postinst snippets can fail (LP: #1480492)
  * debian/control: make apparmor-utils depend on the same package
    version of python3-apparmor

 -- Steve Beattie <email address hidden> Fri, 31 Jul 2015 16:35:03 -0700

Changed in apparmor (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.