Bug#805145: /usr/sbin/aa-status: aa-status --enabled hangs on upgrade until kill

2018-06-13 Thread intrigeri 
Hi,

Regarding the specific buggy case you've met: Christian asked you some
more info in https://bugs.debian.org/805145#10. Any chance you
provide it?

Regarding how widespread the triggers that bug are: since 2.10.95-2
the snippets included by dh-apparmor in postinst use aa-enabled (which
is a light, fast, single purpose C program) instead of
"aa-status --enabled", so any package that uses dh-apparmor and got
rebuilt since this version was uploaded does not run
"aa-status --enabled". Now,
https://codesearch.debian.net/search?q=aa-status+--enabled&perpkg=1
tells me that some packages don't use dh-apparmor and instead have
hard-coded calls to "aa-status --enabled". Ouch! Next step would be to
report bugs (ideally with patches) against these packages to make them
use dh-apparmor (ideally) or aa-enabled (at least). Now, on the
systems I have at hand, "aa-status --enabled" takes less than 0.1s to
run, so I probably won't work on this myself.

Cheers,
-- 
intrigeri

Bug#805145: [pkg-apparmor] Bug#805145: /usr/sbin/aa-status: aa-status --enabled hangs on upgrade until kill

2016-06-23 Thread intrigeri 
Hi Patrick,

Christian Boltz wrote (15 Nov 2015 16:08:35 GMT) :
> Please provide the output of
> wc -l /sys/kernel/security/apparmor/profiles
> time aa-status   # be patient, please ;-)

> [...]

> BTW: Do you really have a profile for /usr/bin/python2.7? That's probably 
> a bad idea ;-) and I seriously recommend to delete and unload it (unless 
> you have a _very good_ reason for what you are doing).

> The usual recommendation is to create a profile for the python scripts, 
> and then have an ix (inherit) rule for the python interpreter. (This 
> also means you have to run those scripts using "./myscript.py", not 
> "python myscript.py".)

Ping?

Cheers,
--
intrigeri

Bug#805145: [pkg-apparmor] Bug#805145: /usr/sbin/aa-status: aa-status --enabled hangs on upgrade until kill

2015-11-15 Thread Christian Boltz 
Hello,

the crash log contains a very interesting detail - you killed aa-status 
while it worked on the profile

/usr/bin/python2.7//null-5ec//null-5ed//null-5...5ef//null-667//null-668//null-574fe
 
(the line was shortened when python created the crash log, there were 
probably more null-* nesting levels)

Those null-* profiles are used in complain mode to track exec events.
In your case, there must have been *lots of* exec events, which leads to 
*lots of* those null-* profiles, nested as deep as the exec chain goes.

Please provide the output of
wc -l /sys/kernel/security/apparmor/profiles
time aa-status   # be patient, please ;-)

I'm quite sure aa-status is _not_ in an endless loop - it's "just" busy 
with reading a very long list of profiles.

That said - we are probably wasting CPU cycles if you only check for 
--enabled. That's not really noticable with 50 or 100 profiles loaded, 
but with > 1000 profiles (in your case mostly null-*) it might take some 
time. 
I opened https://bugs.launchpad.net/apparmor/+bug/1516400 for that.


BTW: Do you really have a profile for /usr/bin/python2.7? That's probably 
a bad idea ;-) and I seriously recommend to delete and unload it (unless 
you have a _very good_ reason for what you are doing).

The usual recommendation is to create a profile for the python scripts, 
and then have an ix (inherit) rule for the python interpreter. (This 
also means you have to run those scripts using "./myscript.py", not 
"python myscript.py".)


Regards,

Christian Boltz
-- 
So we have unequivocal proof that I'm more dangerous to my own machine
than any of the updates we've rolled out to Tumbleweed in the last 14
months. [Richard Brown in opensuse-factory]

Bug#805145: /usr/sbin/aa-status: aa-status --enabled hangs on upgrade until kill

2015-11-15 Thread Patrick Winnertz 
Package: apparmor
Version: 2.10-2+b1
Severity: important
File: /usr/sbin/aa-status

Dear Maintainer,

upgrading packages which includes apparmor profiles and execute aa-status 
during the upgrade process leads to indefinitely running aa-status process.
Only a kill -9 on the process helps to finish the the update.

A similiar behaviour is achieved when running aa-status manually and killing it 
with CTRL-C. The resulting crash log is attached to this report.

Greetings
Patrick


-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apparmor depends on:
ii  debconf [debconf-2.0]  1.5.58
ii  libapparmor-perl   2.10-2+b1
ii  libc6  2.19-22
ii  lsb-base   9.20150917
ii  python33.4.3-7

apparmor recommends no packages.

Versions of packages apparmor suggests:
ii  apparmor-docs2.10-2
ii  apparmor-profiles2.10-2
ii  apparmor-profiles-extra  1.6
ii  apparmor-utils   2.10-2+b1

-- debconf information:
  apparmor/homedirs:
KeyboardInterrupt
Python 3.4.3+: /usr/bin/python3
Sun Nov 15 10:14:14 2015

A problem occurred in a Python script.  Here is the sequence of
function calls leading up to the error, in the order they occurred.

 /usr/sbin/aa-status in ()
  210 '--help' : print_usage,
  211 '-h' : print_usage
  212 }
  213 
  214 if cmd in commands:
  215 commands[cmd]()
  216 sys.exit(0)
  217 else:
  218 sys.stderr.write("Error: Invalid command.\n")
  219 print_usage()
commands = {'--complaining': , '--enabled': , '--enforced': , '--help': , '--profiled': , '--verbose': , '-h': , '-v': }
cmd = '--enabled'

 /usr/sbin/aa-status in cmd_enabled()
   26 # just let normal python exceptions happen (LP: #1480492)
   27 pass
   28 
   29 def cmd_enabled():
   30 '''Returns error code if AppArmor is not enabled'''
   31 if get_profiles() == {}:
   32 sys.exit(2)
   33 
   34 def cmd_profiled():
   35 '''Prints the number of loaded profiles'''
global get_profiles = 

 /usr/sbin/aa-status in get_profiles()
  106 errormsg("You do not have enough privilege to read the 
profile set.")
  107 else:
  108 errormsg("Could not open %s: %s" % (apparmor_profiles, 
os.strerror(e.errno)))
  109 sys.exit(4)
  110 
  111 for p in f.readlines():
  112 match = re.search("^([^\(]+)\s+\((\w+)\)$", p)
  113 profiles[match.group(1)] = match.group(2)
  114 
  115 f.close()
p undefined
f = <_io.TextIOWrapper name='/sys/kernel/security/apparmor/profiles' mode='r' 
encoding='UTF-8'>
f.readlines = 

 /usr/lib/python3.4/codecs.py in 
decode(self=, 
input=b'/usr/bin/python2.7//null-5ec//null-5ed//null-5...5ef//null-667//null-668//null-574fe
 (complain)\n', final=False)
  311 def _buffer_decode(self, input, errors, final):
  312 # Overwrite this method in subclasses: It must decode input
  313 # and return an (output, length consumed) tuple
  314 raise NotImplementedError
  315 
  316 def decode(self, input, final=False):
  317 # decode input (taking the buffer into account)
  318 data = self.buffer + input
  319 (result, consumed) = self._buffer_decode(data, self.errors, final)
  320 # keep undecoded input until the next call
global decode = 
self = 
input = 
b'/usr/bin/python2.7//null-5ec//null-5ed//null-5...5ef//null-667//null-668//null-574fe
 (complain)\n'
final = False
KeyboardInterrupt: 
__cause__ = None
__class__ = 
__context__ = None
__delattr__ = 
__dict__ = {}
__dir__ = 
__doc__ = 'Program interrupted by user.'
__eq__ = 
__format__ = 
__ge__ = 
__getattribute__ = 
__gt__ = 
__hash__ = 
__init__ = 
__le__ = 
__lt__ = 
__ne__ = 
__new__ = 
__reduce__ = 
__reduce_ex__ = 
__repr__ = 
__setattr__ = 
__setstate__ = 
__sizeof__ = 
__str__ = 
__subclasshook__ = 
__suppress_context__ = False
__traceback__ = 
args = ()
with_traceback = 

The above is a description of an error in a Python program.  Here is
the original traceback:

Traceback (most recent call last):
  File "/usr/sbin/aa-status", line 215, in 
commands[cmd]()
  File "/usr/sbin/aa-status", line 31, in cmd_enabled
if get_profiles() == {}:
  File "/usr/sbin/aa-status", line 111, in get_profiles
for p in f.readlines():
  File "/usr/lib/python3.4/codecs.py", line 316, in decode
def decode(self, input, final=False):
KeyboardInterrupt


Please consider reporting a bug at https://bugs.launchpad.net/apparmor/
and attach this file.