** Description changed: + [SRU] + + [ Impact ] + + * AppArmor profile for 'tellico' misformatted, which causes: + + - Profile fails to load on package installation. + - AppArmor cannot be restarted (profiles cannot be reloaded because of the faulty profile installed by tellico). + + * The suggested upload [1] includes a simple fix to the profile. + + [ Test Plan ] + + * Reproducing the bug: + + 1. Install the latest avail. version of package 'tellico': + + - 4.1.1-1ubuntu2 on Plucky, or + - 4.1.3-1ubuntu1 on Questing + + Output on Plucky: + + $ sudo apt update + $ sudo apt install tellico + [snip] + Preparing to unpack .../tellico_4.1.1-1ubuntu2_amd64.deb ... + Unpacking tellico (4.1.1-1ubuntu2) ... + Setting up tellico (4.1.1-1ubuntu2) ... + AppArmor parser error for /etc/apparmor.d/usr.bin.tellico in profile /etc/apparmor.d/usr.bin.tellico at line 33: syntax error, unexpected TOK_ID, expecting TOK_MODE + + 2. Try to restart AppArmor: + + $ sudo systemctl restart apparmor + Job for apparmor.service failed because the control process exited with error code. + See "systemctl status apparmor.service" and "journalctl -xeu apparmor.service" for details. + + $ sudo systemctl status apparmor.service + [snip] + Oct 08 06:32:19 telltest2504 systemd[1]: Starting apparmor.service - Load AppArmor profiles... + Oct 08 06:32:19 telltest2504 apparmor.systemd[7795]: Restarting AppArmor + Oct 08 06:32:19 telltest2504 apparmor.systemd[7795]: Reloading AppArmor profiles + Oct 08 06:32:20 telltest2504 apparmor.systemd[7934]: AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/usr.bin.tellico at line 33: syntax error, unexpected TOK> + Oct 08 06:32:20 telltest2504 apparmor.systemd[7795]: Error: At least one profile failed to load + Oct 08 06:32:20 telltest2504 systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE + Oct 08 06:32:20 telltest2504 systemd[1]: apparmor.service: Failed with result 'exit-code'. + Oct 08 06:32:20 telltest2504 systemd[1]: Failed to start apparmor.service - load AppArmor profiles. + + * Fix: + + * Modifying the AppArmor profile as suggested in the linked bug [0], + as well as in the prepared MPs against ubuntu/plucky-devel [1] and + ubuntu/devel [2], fixes the problem: tellico installs, and AppArmor can + (re)load all profiles as expected. + + * That the fix works can be tested by following the above + instructions for reproducing after installing: + + - 4.1.1-1ubuntu3 from plucky-proposed (when [1] is merged) + - 4.1.3-1ubuntu2 from questing-proposed (when [2] is merged) + + [ Where problems could occur ] + + * A faulty AppArmor profile (that can be loaded and allows the app to + run) could introduce a security problem. Given that the suggested fix + does not modify the access control (i.e. does not add, remove, or change + the defined rules in the profile, which had already been merged before) + and only fixes syntax, I believe this potential problem does not apply + in this case. + + Also, this profile is the same as a working profile in another package that already is a part of the distribution: plasma-welcome: + https://git.launchpad.net/ubuntu/+source/plasma-welcome/tree/debian/plasma-welcome-apparmor + + [ Other Info ] + + * Tested with the same results (both the bug and the fix) on Plucky and + Questing. + + * PPA with the fix for testing purposes is at [3]. + + * The package has no autopkgtests, so not reporting on that. + + * Devel is not yet open, so the package can't be fixed there, but an MP + with a proposed fix is opened against ubuntu/devel, ready to be merged + when devel becomes available [2]. + + I hope this satisfies the exception to "Development release fixed + first": "stable release updates should not and do not need to wait for + the development release to open, as long as the development release + upload is prepared and ready" [4] + + [0] https://bugs.launchpad.net/ubuntu/+source/tellico/+bug/2120284 + [1] https://code.launchpad.net/~rkratky/ubuntu/+source/tellico/+git/tellico/+merge/494043 + [2] https://code.launchpad.net/~rkratky/ubuntu/+source/tellico/+git/tellico/+merge/493972 + [3] https://launchpad.net/~rkratky/+archive/ubuntu/tellico-fix-lp2120284-apparmor + [4] https://documentation.ubuntu.com/sru/en/latest/explanation/further-requirements/#explanation-devel-first + + + [ Original Description ] + Ubuntu 25.04 tellico 4.1.1-1ubuntu2 The AppArmor policy shipped with 'tellico' (`/etc/apparmor.d/usr.bin.tellico`) seems misformatted, which causes this error when trying to load it: ``` $ apparmor_parser /etc/apparmor.d/usr.bin.tellico AppArmor parser error for /etc/apparmor.d/usr.bin.tellico in profile /etc/apparmor.d/usr.bin.tellico at line 33: syntax error, unexpected TOK_ID, expecting TOK_MODE ``` Line 33: ``` $ sed '30,36!d' /etc/apparmor.d/usr.bin.tellico - ptrace, + ptrace, - /usr/lib/qt6/libexec/QtWebEngineProcess - /** pux, - /{,**} mrwlk, + /usr/lib/qt6/libexec/QtWebEngineProcess + /** pux, + /{,**} mrwlk, - profile QtWebEngineProcess { + profile QtWebEngineProcess { ``` I'm guessing the following should fix it. But after loading the updated profile (which goes through), Tellico segfaults immediately after running it: ``` - ptrace, + ptrace, - /usr/lib/qt6/libexec/QtWebEngineProcess cx -> QtWebEngineProcess, + /usr/lib/qt6/libexec/QtWebEngineProcess cx -> QtWebEngineProcess, - profile QtWebEngineProcess { - capability, - userns, + profile QtWebEngineProcess { + capability, + userns, ``` Just to be sure, I also tried with the following (which was in Tellico 3.x), but Tellico also segfaults when this profile is loaded: + ``` + ptrace, - ``` - ptrace, - - /usr/lib/qt6/libexec/QtWebEngineProcess cx -> + /usr/lib/qt6/libexec/QtWebEngineProcess cx -> &tellico//QtWebEngineProcess, - profile QtWebEngineProcess { - capability, - userns, + profile QtWebEngineProcess { + capability, + userns, ``` Unloading the profile lets Tellico run again without the segfault. I haven't investigated further yet.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2120284 Title: Tellico AppArmor policy parser error: unexpected TOK_ID, expecting TOK_MODE To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tellico/+bug/2120284/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
