** Description changed: [SRU] [ Impact ] * AppArmor profile for 'tellico' misformatted, which causes: - Profile fails to load on package installation. - AppArmor cannot be restarted (profiles cannot be reloaded because of the faulty profile installed by tellico). * The suggested uploads [1, 2] include a simple fix to the profile. - [ Test Plan ] * Reproducing the bug: 1. Install the latest avail. version of package 'tellico': - 4.1.1-1ubuntu2 on Plucky, or - 4.1.3-1ubuntu1 on Questing - Output on Plucky: + Output on Plucky: - $ sudo apt update - $ sudo apt install tellico - [snip] - Preparing to unpack .../tellico_4.1.1-1ubuntu2_amd64.deb ... - Unpacking tellico (4.1.1-1ubuntu2) ... - Setting up tellico (4.1.1-1ubuntu2) ... - AppArmor parser error for /etc/apparmor.d/usr.bin.tellico in profile /etc/apparmor.d/usr.bin.tellico at line 33: syntax error, unexpected TOK_ID, expecting TOK_MODE + $ sudo apt update + $ sudo apt install tellico + [snip] + Preparing to unpack .../tellico_4.1.1-1ubuntu2_amd64.deb ... + Unpacking tellico (4.1.1-1ubuntu2) ... + Setting up tellico (4.1.1-1ubuntu2) ... + AppArmor parser error for /etc/apparmor.d/usr.bin.tellico in profile /etc/apparmor.d/usr.bin.tellico at line 33: syntax error, unexpected TOK_ID, expecting TOK_MODE 2. Try to restart AppArmor: - $ sudo systemctl restart apparmor - Job for apparmor.service failed because the control process exited with error code. - See "systemctl status apparmor.service" and "journalctl -xeu apparmor.service" for details. + $ sudo systemctl restart apparmor + Job for apparmor.service failed because the control process exited with error code. + See "systemctl status apparmor.service" and "journalctl -xeu apparmor.service" for details. - $ sudo systemctl status apparmor.service - [snip] - Oct 08 06:32:19 telltest2504 systemd[1]: Starting apparmor.service - Load AppArmor profiles... - Oct 08 06:32:19 telltest2504 apparmor.systemd[7795]: Restarting AppArmor - Oct 08 06:32:19 telltest2504 apparmor.systemd[7795]: Reloading AppArmor profiles - Oct 08 06:32:20 telltest2504 apparmor.systemd[7934]: AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/usr.bin.tellico at line 33: syntax error, unexpected TOK> - Oct 08 06:32:20 telltest2504 apparmor.systemd[7795]: Error: At least one profile failed to load - Oct 08 06:32:20 telltest2504 systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE - Oct 08 06:32:20 telltest2504 systemd[1]: apparmor.service: Failed with result 'exit-code'. - Oct 08 06:32:20 telltest2504 systemd[1]: Failed to start apparmor.service - load AppArmor profiles. + $ sudo systemctl status apparmor.service + [snip] + Oct 08 06:32:19 telltest2504 systemd[1]: Starting apparmor.service - Load AppArmor profiles... + Oct 08 06:32:19 telltest2504 apparmor.systemd[7795]: Restarting AppArmor + Oct 08 06:32:19 telltest2504 apparmor.systemd[7795]: Reloading AppArmor profiles + Oct 08 06:32:20 telltest2504 apparmor.systemd[7934]: AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/usr.bin.tellico at line 33: syntax error, unexpected TOK> + Oct 08 06:32:20 telltest2504 apparmor.systemd[7795]: Error: At least one profile failed to load + Oct 08 06:32:20 telltest2504 systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE + Oct 08 06:32:20 telltest2504 systemd[1]: apparmor.service: Failed with result 'exit-code'. + Oct 08 06:32:20 telltest2504 systemd[1]: Failed to start apparmor.service - load AppArmor profiles. * Fix: * Modifying the AppArmor profile as suggested in this bug, as well as in the prepared MPs against Plucky [3] and Questing [2], fixes the problem: tellico installs, and AppArmor can (re)load all profiles as expected. * I tested the fix and can confirm it works. This is how I tested: - 1. LXD VM for Plucky and Questing: + 1. LXD VM for Plucky and Questing: - $ sudo lxc launch ubuntu:25.04 --vm tellico2504 --console=vga - $ sudo lxc launch ubuntu:25.10 --vm tellico2510 --console=vga + $ sudo lxc launch ubuntu:25.04 --vm tellico2504 --console=vga + $ sudo lxc launch ubuntu:25.10 --vm tellico2510 --console=vga - 2. Install minimal graphical env. and tellico: + 2. Install minimal graphical env. and tellico: - $ sudo apt update && sudo apt upgrade - $ sudo apt install xinit openbox tellico + $ sudo apt update && sudo apt upgrade + $ sudo apt install xinit openbox tellico - (Installing tellico with the faulty AppArmor profile results in + (Installing tellico with the faulty AppArmor profile results in the parser error listed above, as well the inability to reload AppArmor profiles later.) - 3. Upgrade tellico to the version from the test PPA: + 3. Upgrade tellico to the version from the test PPA: - $ sudo add-apt-repository ppa:rkratky/tellico-fix-lp2120284-apparmor - $ sudo apt upgrade + $ sudo add-apt-repository ppa:rkratky/tellico-fix-lp2120284-apparmor + $ sudo apt upgrade - This installs the following tellico packages on Plucky and + This installs the following tellico packages on Plucky and Questing respectively: - - 4.1.1-1ubuntu3~plucky1 - - 4.1.3-1ubuntu2~questing11 + - 4.1.1-1ubuntu3~plucky1 + - 4.1.3-1ubuntu2~questing11 - (Btw, in 'questing11', the '11' is just a typo :) It was meant + In both cases, the AppArmor profile is successfully loaded + during the installation, and AppArmor can later be successfully + restarted, too. + + (Btw, in 'questing11', the '11' is just a typo :) It was meant to be '1'.) - 4. Run tellico in both VMs: + 4. Run tellico in both VMs: - $ tellico && echo OK - [snip] - OK + $ tellico && echo OK + [snip] + OK - Result: Tellico runs fine with the fixed AppArmor profile. + Result: Tellico runs fine with the fixed AppArmor profile. - The packages in the PPA are built from the same source as + The packages in the PPA are built from the same source as submitted in the MPs: - 4.1.1-1ubuntu2.1 for plucky-proposed [1] - 4.1.3-1ubuntu1.1 for questing-proposed [2] - [ Where problems could occur ] * A faulty AppArmor profile (that can be loaded and allows the app to run) could introduce a security problem. Given that the suggested fix does not modify the access control (i.e. does not add, remove, or change the defined rules in the profile, which had already been merged before) and only fixes syntax, I believe this potential problem does not apply in this case. Also, this profile is the same as a working profile in a number of other packages that already are a part of the distribution. For example: - plasma-welcome: https://git.launchpad.net/ubuntu/+source/plasma-welcome/tree/debian/plasma-welcome-apparmor - digikam: https://git.launchpad.net/ubuntu/+source/digikam/tree/debian/digikam-apparmor - cantor: https://git.launchpad.net/ubuntu/+source/cantor/tree/debian/cantor-apparmor - and others - [ Other Info ] * Tested with the same results (both the bug and the fix) on Plucky and Questing. * PPA with the fix for testing purposes is at [3]. * The package has no autopkgtests, so not reporting on that. [1] https://code.launchpad.net/~rkratky/ubuntu/+source/tellico/+git/tellico/+merge/494043 [2] https://code.launchpad.net/~rkratky/ubuntu/+source/tellico/+git/tellico/+merge/493972 [3] https://launchpad.net/~rkratky/+archive/ubuntu/tellico-fix-lp2120284-apparmor - [ Original Description ] Ubuntu 25.04 tellico 4.1.1-1ubuntu2 The AppArmor policy shipped with 'tellico' (`/etc/apparmor.d/usr.bin.tellico`) seems misformatted, which causes this error when trying to load it: ``` $ apparmor_parser /etc/apparmor.d/usr.bin.tellico AppArmor parser error for /etc/apparmor.d/usr.bin.tellico in profile /etc/apparmor.d/usr.bin.tellico at line 33: syntax error, unexpected TOK_ID, expecting TOK_MODE ``` Line 33: ``` $ sed '30,36!d' /etc/apparmor.d/usr.bin.tellico ptrace, /usr/lib/qt6/libexec/QtWebEngineProcess /** pux, /{,**} mrwlk, profile QtWebEngineProcess { ``` I'm guessing the following should fix it. But after loading the updated profile (which goes through), Tellico segfaults immediately after running it: ``` ptrace, /usr/lib/qt6/libexec/QtWebEngineProcess cx -> QtWebEngineProcess, profile QtWebEngineProcess { capability, userns, ``` Just to be sure, I also tried with the following (which was in Tellico 3.x), but Tellico also segfaults when this profile is loaded: ``` ptrace, /usr/lib/qt6/libexec/QtWebEngineProcess cx -> &tellico//QtWebEngineProcess, profile QtWebEngineProcess { capability, userns, ``` Unloading the profile lets Tellico run again without the segfault. I haven't investigated further yet.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2120284 Title: [SRU] Tellico AppArmor policy parser error: unexpected TOK_ID, expecting TOK_MODE To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/marble/+bug/2120284/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
