** Description changed:
- The apparmor_parser now supports 'include' rules in addition to
- '#include', but the python tools only understand '#include'. This
- manifested itself in Ubuntu in bug #1734038 (see
- https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15
- of that bug for details).
+ The apparmor parser supports 'include' and '#include' rules for
+ specifying absolute paths, but the python tools only understand include
+ rules for so called 'magic' '<>' file locations.
+
+ Reproducer:
+
+ $ mkdir /tmp/test1 /tmp/test2
+
+ $ cat /etc/apparmor.d/lp1733700
+ profile lp1733700 {
+ #include "/tmp/test1"
+ include "/tmp/test2"
+ }
+
+ $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
+
+ $ sudo aa-enforce /etc/apparmor.d/lp1733700
+
+ ERROR: Syntax Error: Missing '}' or ','. Reached end of file
+ /etc/apparmor.d/lp1733700 while inside profile lp1733700Note that the pr
+
+ Note that the original description said that changing the rule from
+ 'include' to '#include' fixed the issue when in reality it only allowed
+ the rule to parse as a comment instead of erroring.
+
+ = Original description =
+ The apparmor_parser now supports 'include' rules in addition to '#include',
but the python tools only understand '#include'. This manifested itself in
Ubuntu in bug #1734038 (see
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of
that bug for details).
Reproducer:
$ mkdir /tmp/test
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
- include "/tmp/test"
+ include "/tmp/test"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file
/etc/apparmor.d/lp1733700 while inside profile lp1733700
Changing the 'include' to '#include' results in:
- $ sudo aa-enforce /etc/apparmor.d/lp1733700
+ $ sudo aa-enforce /etc/apparmor.d/lp1733700
Setting /etc/apparmor.d/lp1733700 to enforce mode.
At least aa-logprof is also affected.
= Original report =
On Ubuntu artful, I'm seeing the following behavior:
- $ aa-enforce usr.bin.chromium-browser
-
- ERROR: Syntax Error: Unknown line found in file
/etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
- include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,
+ $ aa-enforce usr.bin.chromium-browser
+
+ ERROR: Syntax Error: Unknown line found in file
/etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
+ include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,
I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
This is snapd 2.28.5+17.10.
** Description changed:
The apparmor parser supports 'include' and '#include' rules for
specifying absolute paths, but the python tools only understand include
rules for so called 'magic' '<>' file locations.
Reproducer:
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
- #include "/tmp/test1"
- include "/tmp/test2"
+ #include "/tmp/test1"
+ include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file
- /etc/apparmor.d/lp1733700 while inside profile lp1733700Note that the pr
+ /etc/apparmor.d/lp1733700 while inside profile lp1733700.
Note that the original description said that changing the rule from
'include' to '#include' fixed the issue when in reality it only allowed
the rule to parse as a comment instead of erroring.
= Original description =
The apparmor_parser now supports 'include' rules in addition to '#include',
but the python tools only understand '#include'. This manifested itself in
Ubuntu in bug #1734038 (see
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of
that bug for details).
Reproducer:
$ mkdir /tmp/test
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
include "/tmp/test"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file
/etc/apparmor.d/lp1733700 while inside profile lp1733700
Changing the 'include' to '#include' results in:
$ sudo aa-enforce /etc/apparmor.d/lp1733700
Setting /etc/apparmor.d/lp1733700 to enforce mode.
At least aa-logprof is also affected.
= Original report =
On Ubuntu artful, I'm seeing the following behavior:
$ aa-enforce usr.bin.chromium-browser
ERROR: Syntax Error: Unknown line found in file
/etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,
I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
This is snapd 2.28.5+17.10.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1733700
Title:
python tools do not understand 'non-magic' include rules
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1733700/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
