AppArmor

aa-logprof crashes when answering questions

Bug #1670901 reported by Michael Wardrop on 2017-03-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	New	Undecided	Unassigned

Bug Description

AttributeError
Python 3.5.2: /usr/bin/python3
Fri Mar 3 02:11:06 2017

A problem occurred in a Python script. Here is the sequence of
function calls leading up to the error, in the order they occurred.

/usr/sbin/aa-logprof in <module>()
   42
   43 if profiledir:
   44 apparmor.profile_dir = apparmor.get_full_path(profiledir)
   45 if not os.path.isdir(apparmor.profile_dir):
   46 raise apparmor.AppArmorException("%s is not a directory."%profiledir)
   47
   48 apparmor.loadincludes()
   49
   50 apparmor.do_logprof_pass(logmark)
   51
apparmor = <module 'apparmor.aa' from '/usr/lib/python3/dist-packages/apparmor/aa.py'>
apparmor.do_logprof_pass = <function do_logprof_pass>
logmark = ''

/usr/lib/python3/dist-packages/apparmor/aa.py in do_logprof_pass(logmark='', passno=0, pid=30617)
2197 for pid in sorted(profile_changes.keys()):
2198 set_process(pid, profile_changes[pid])
2199
2200 collapse_log()
2201
2202 ask_the_questions()
2203
2204 if aaui.UI_mode == 'yast':
2205 # To-Do
2206 pass
global ask_the_questions = <function ask_the_questions>

/usr/lib/python3/dist-packages/apparmor/aa.py in ask_the_questions()
1688 aaui.UI_Info(_('Adding %s to profile.') % selection)
1689 if deleted:
1690 aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
1691
1692 else:
1693 aa[profile][hat][ruletype].add(rule_obj)
1694
1695 aaui.UI_Info(_('Adding %s to profile.') % rule_obj.get_clean())
1696
1697 elif ans == 'CMD_DENY':
global aa = defaultdict(<function hasher at 0x7f662dd07048>,...ct(<function hasher at 0x7f662dd07048>, {})})})})
profile = '/bin/su'
hat = 'DEFAULT'
ruletype = 'ptrace'
].add undefined
rule_obj = <PtraceRule> ptrace trace peer=unconfined,
AttributeError: 'collections.defaultdict' object has no attribute 'add'
    __cause__ = None
    __class__ = <class 'AttributeError'>
    __context__ = None
    __delattr__ = <method-wrapper '__delattr__' of AttributeError object>
    __dict__ = {}
    __dir__ = <built-in method __dir__ of AttributeError object>
    __doc__ = 'Attribute not found.'
    __eq__ = <method-wrapper '__eq__' of AttributeError object>
    __format__ = <built-in method __format__ of AttributeError object>
    __ge__ = <method-wrapper '__ge__' of AttributeError object>
    __getattribute__ = <method-wrapper '__getattribute__' of AttributeError object>
    __gt__ = <method-wrapper '__gt__' of AttributeError object>
    __hash__ = <method-wrapper '__hash__' of AttributeError object>
    __init__ = <method-wrapper '__init__' of AttributeError object>
    __le__ = <method-wrapper '__le__' of AttributeError object>
    __lt__ = <method-wrapper '__lt__' of AttributeError object>
    __ne__ = <method-wrapper '__ne__' of AttributeError object>
    __new__ = <built-in method __new__ of type object>
    __reduce__ = <built-in method __reduce__ of AttributeError object>
    __reduce_ex__ = <built-in method __reduce_ex__ of AttributeError object>
    __repr__ = <method-wrapper '__repr__' of AttributeError object>
    __setattr__ = <method-wrapper '__setattr__' of AttributeError object>
    __setstate__ = <built-in method __setstate__ of AttributeError object>
    __sizeof__ = <built-in method __sizeof__ of AttributeError object>
    __str__ = <method-wrapper '__str__' of AttributeError object>
    __subclasshook__ = <built-in method __subclasshook__ of type object>
    __suppress_context__ = False
    __traceback__ = <traceback object>
    args = ("'collections.defaultdict' object has no attribute 'add'",)
    with_traceback = <built-in method with_traceback of AttributeError object>

The above is a description of an error in a Python program. Here is
the original traceback:

Traceback (most recent call last):
  File "/usr/sbin/aa-logprof", line 50, in <module>
    apparmor.do_logprof_pass(logmark)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2202, in do_logprof_pass
    ask_the_questions()
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1693, in ask_the_questions
    aa[profile][hat][ruletype].add(rule_obj)
AttributeError: 'collections.defaultdict' object has no attribute 'add'

Tags:

Revision history for this message

Christian Boltz (cboltz) wrote on 2017-03-08:

Looks like the "default" hat in your /bin/su profile was not initialized.

Can you please attach this profile and your /var/log/audit/audit.log (or whatever logfile aa-logprof reads, it's mentioned in the first lines aa-logprof prints)?

Also, which AppArmor version do you use?

Revision history for this message

Michael Wardrop (mdwardrop) wrote on 2017-03-10:

Download full text (10.2 KiB)

Unfortunately the instance with the original log and profile has been terminated.
I think that I have reproduced the bug.

Syslog:
Mar 10 00:39:57 ubuntu kernel: [   51.010399] audit: type=1400 audit(1489106395.892:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/ubuntu-core-launcher" pid=915 comm="apparmor_parser"
Mar 10 00:39:57 ubuntu kernel: [   51.272054] audit: type=1400 audit(1489106396.152:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/ntpd" pid=918 comm="apparmor_parser"
Mar 10 00:39:57 ubuntu kernel: [   51.321784] audit: type=1400 audit(1489106396.204:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/sbin/dhclient" pid=916 comm="apparmor_parser"
Mar 10 00:39:57 ubuntu kernel: [   51.322484] audit: type=1400 audit(1489106396.204:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=916 comm="apparmor_parser"
Mar 10 00:39:57 ubuntu kernel: [   51.323131] audit: type=1400 audit(1489106396.204:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=916 comm="apparmor_parser"
Mar 10 00:39:57 ubuntu kernel: [   51.323753] audit: type=1400 audit(1489106396.204:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=916 comm="apparmor_parser"
Mar 10 00:39:57 ubuntu kernel: [   51.476850] audit: type=1400 audit(1489106396.360:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/tcpdump" pid=922 comm="apparmor_parser"
Mar 10 00:40:11 ubuntu kernel: [   66.145691] audit: type=1400 audit(1489106411.206:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="docker-default" pid=3647 comm="apparmor_parser"
Mar 10 01:06:08 ubuntu kernel: [ 1623.061095] audit: type=1400 audit(1489107968.123:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="confined_user" pid=7416 comm="apparmor_parser"
Mar 10 01:06:08 ubuntu kernel: [ 1623.061940] audit: type=1400 audit(1489107968.123:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="default_user" pid=7416 comm="apparmor_parser"
Mar 10 01:06:08 ubuntu kernel: [ 1623.492384] audit: type=1400 audit(1489107968.555:12): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/bin/su" pid=7417 comm="apparmor_parser"
Mar 10 01:06:08 ubuntu kernel: [ 1623.493298] audit: type=1400 audit(1489107968.555:13): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/bin/su//DEFAULT" pid=7417 comm="apparmor_parser"
Mar 10 01:06:08 ubuntu kernel: [ 1623.494189] audit: type=1400 audit(1489107968.555:14): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/bin/su//root" pid=7417 comm="apparmor_parser"
Mar 10 01:06:08 ubuntu kernel: [ 1623.495047] audit: type=1400 audit(1489107968.555:15): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/bin/su//tester" pid=7417 comm="apparmor_parser"
Mar 10 01:06:08 ubuntu kernel: [ 1623.715832] audit: type=1400 audit(1489107968.775:16): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/perf" pid=7440 comm="apparmor_parser"
Mar 10 01:06:09 ubuntu kernel: [ 1623.970888] audit: type=1400 audit(1489107969.031:17): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/sshd" pid=7421 comm="apparmor_parser"
Mar 10 01:06:09 ubuntu kernel: [ 1623.971284] audit: type=1400 audit(1489107969.031:18): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/sshd//AUTHENTICATED" pid=7421 comm="apparmor_parser"
Mar 10 01:06:09 ubuntu kernel: [ 1623.971733] audit: type=1400 audit(1489107969.031:19): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/sshd//DEFAULT" pid=7421 comm="apparmor_parser"
Mar 10 01:06:59 ubuntu kernel: [ 1674.012895] audit: type=1400 audit(1489108019.075:25): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/sshd//DEFAULT" pid=8493 comm="sshd" requested_mask="trace" denied_mask="trace" peer="unconfined"
Mar 10 01:06:59 ubuntu kernel: [ 1674.013211] audit: type=1400 audit(1489108019.075:26): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/sshd//DEFAULT" pid=8493 comm="sshd" requested_mask="trace" denied_mask="trace" peer="unconfined"
Mar 10 01:07:00 ubuntu kernel: [ 1674.941200] audit: type=1400 audit(1489108020.003:27): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/sshd//DEFAULT" pid=8521 comm="sshd" requested_mask="trace" denied_mask="trace" peer="unconfined"
Mar 10 01:07:00 ubuntu kernel: [ 1674.941584] audit: type=1400 audit(1489108020.003:28): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/sshd//DEFAULT" pid=8521 comm="sshd" requested_mask="trace" denied_mask="trace" peer="unconfined"
Mar 10 01:08:16 ubuntu kernel: [ 1751.517359] audit: type=1400 audit(1489108096.578:29): apparmor="DENIED" operation="open" profile="/usr/bin/perf" name="/etc/dpkg/dpkg.cfg.d/zfs-doc" pid=16326 comm="dpkg" requested_mask="r" denied_mask="r" fsuid=60004 ouid=0
Mar 10 01:08:16 ubuntu kernel: [ 1751.519615] audit: type=1400 audit(1489108096.578:30): apparmor="DENIED" operation="open" profile="/usr/bin/perf" name="/etc/dpkg/dpkg.cfg.d/zfs-doc" pid=16334 comm="dpkg" requested_mask="r" denied_mask="r" fsuid=60004 ouid=0
Mar 10 01:08:16 ubuntu kernel: [ 1751.567245] audit: type=1400 audit(1489108096.626:31): apparmor="DENIED" operation="open" profile="/usr/bin/perf" name="/usr/bin/" pid=16335 comm="lsb_release" requested_mask="r" denied_mask="r" fsuid=60004 ouid=0
Mar 10 01:10:27 ubuntu kernel: [ 1882.092345] audit: type=1400 audit(1489108227.152:32): apparmor="DENIED" operation="open" profile="default_user" name="/usr/bin/" pid=32705 comm="ls" requested_mask="r" denied_mask="r" fsuid=60004 ouid=0

Profile:
#
# This file contains the mappings from users to roles for the binaries
# confined with AppArmor and configured for use with libpam-apparmor.
# Users without a mapping will not be able to login.
#
# The default hat is a confined user. The hat contains only the permissions
# necessary to transition to the user's login shell. All other permissions have
# been moved into the default_user profile.
#
^DEFAULT {
    #include <abstractions/authentication>
    #include <abstractions/base>
    #include <abstractions/consoles>
    #include <abstractions/nameservice>
    #include <abstractions/dbus>
    #include <abstractions/dbus-session>
    #include <abstractions/wutmp>

capability audit_control,
    capability audit_write,
    capability chown,
    capability dac_override,
    capability fowner,
    capability fsetid,
    capability kill,
    capability net_admin,
    capability net_bind_service,
    capability sys_ptrace,
    capability setgid,
    capability setuid,
    capability sys_chroot,
    capability sys_resource,
    capability sys_tty_config,
    
    ptrace trace peer=unconfined,

/proc/1/limits r,
    /proc/** r,
    owner /proc/** rw,
    /proc/self/** rw,

owner /home/*/ rw,
    owner /home/*/** rw,

/etc/default/su r,
    /etc/default/locale r,
    /etc/environment r,
    /etc/init.d/ r,
    /etc/legal r,
    /etc/locale.alias r,
    /etc/passwd r,
    /etc/shells r,
    /etc/security/limits.d/ r,
    /etc/security/limits.d/* r,

/dev/ptmx rw,

/etc/motd r,
    /run/motd.dynamic rw,
    /run/motd.dynamic.new wr,

/bin/{,b,d,rb}ash Px -> default_user,
    /bin/{,c,k,rk,tc,z}sh Px -> default_user,
    /usr/bin/{screen,tcsh,tmux} Px -> default_user,
}
# tester is a confined user.
# The hat contains only the permissions necessary
# to transition to tester's login shell. All other permissions have been
# moved into the confined_user profile.
^tester {
    #include <abstractions/authentication>
    #include <abstractions/base>
    #include <abstractions/consoles>
    #include <abstractions/nameservice>
    #include <abstractions/dbus>
    #include <abstractions/dbus-session>
    #include <abstractions/wutmp>

capability audit_control,
    capability audit_write,
    capability chown,
    capability dac_override,
    capability fowner,
    capability fsetid,
    capability kill,
    capability net_admin,
    capability net_bind_service,
    capability setgid,
    capability setuid,
    capability sys_chroot,
    capability sys_resource,
    capability sys_tty_config,

/proc/1/limits r,
    /proc/** r,
    owner /proc/** rw,
    /proc/self/** rw,

owner /home/*/ rw,
    owner /home/*/** rw,

/dev/ptmx rw,

/etc/motd r,
    /run/motd.dynamic rw,
    /run/motd.dynamic.new wr,

/bin/{,b,d,rb}ash Px -> confined_user,
    /bin/{,c,k,rk,tc,z}sh Px -> confined_user,
    /usr/bin/{screen,tcsh,tmux} Px -> confined_user,
}

# Don't confine members whose primary group is 'root' who are not specifically
# confined.
^root {
    #include <abstractions/authentication>
    #include <abstractions/base>
    #include <abstractions/consoles>
    #include <abstractions/nameservice>
    #include <abstractions/dbus>
    #include <abstractions/dbus-session>
    #include <abstractions/wutmp>

/proc/** rw,

/dev/ptmx rw,

/etc/motd r,
    /run/motd.dynamic rw,
    /run/motd.dynamic.new wr,

/bin/{,b,d,rb}ash Ux,
    /bin/{,c,k,rk,tc,z}sh Ux,
    /usr/bin/{screen,tcsh,tmux} Ux,
}

Revision history for this message

Christian Boltz (cboltz) wrote on 2017-03-10:

Hmm, that's half an answer ;-)

The profile you pasted (BTW: file name/location?) defines several hats, but you didn't paste the /bin/su profile itsself. Can you please add that?
If in doubt and none of your profiles has something you want to keep secret, please attach a tarball of /etc/apparmor.d/ (or mail it to me if you prefer not to have it on launchpad)

Christian Boltz (cboltz) on 2017-10-02

tags:

added: aa-tools

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.