** Summary changed: - aa-enforce fails due to syntax error in snapd.snap-confine profile + apparmor python tools do not understand 'include' rules
** Description changed: + The apparmor_parser now supports 'include' rules in addition to + '#include', but the python tools only understand '#include'. This + manifested itself in Ubuntu in bug #1734038 (see + https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 + of that bug for details). + + Reproducer: + + $ mkdir /tmp/test + + $ cat /etc/apparmor.d/lp1733700 + profile lp1733700 { + include "/tmp/test" + } + + $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok + ok + + $ sudo aa-enforce /etc/apparmor.d/lp1733700 + ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700 + + Changing the 'include' to '#include' results in: + $ sudo aa-enforce /etc/apparmor.d/lp1733700 + Setting /etc/apparmor.d/lp1733700 to enforce mode. + + At least aa-logprof is also affected. + + = Original report = On Ubuntu artful, I'm seeing the following behavior: $ aa-enforce usr.bin.chromium-browser ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15: include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r, I have never touched snap.core.3440.usr.lib.snapd.snap-confine. This is snapd 2.28.5+17.10. ** Also affects: apparmor Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu) Assignee: Jamie Strandboge (jdstrand) => (unassigned) ** Changed in: apparmor Status: New => Triaged ** Also affects: apparmor (Ubuntu Bionic) Importance: Undecided Status: Triaged ** Also affects: apparmor (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Artful) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Zesty) Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu Bionic) Status: Triaged => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1733700 Title: apparmor python tools do not understand 'include' rules To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1733700/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
