Bug #1850013 “aa-logprof error after starting” : Bugs : AppArmor

Revision history for this message

Rajinder Yadav (rajinder-yadav) wrote on 2019-10-27:

#1

I followed the steps here, they worked initially but when I ran the command above I got those error.

https://tutorials.ubuntu.com/tutorial/beginning-apparmor-profile-development#0

I am using Ubuntu 18.04

Revision history for this message

Christian Boltz (cboltz) wrote on 2019-10-27:

#2

Which AppArmor version do you use?

The error message should have included a hint about a /tmp/apparmor-bugreport-<random>.txt file - can you attach this file, please?

tags:

added: aa-tools

Revision history for this message

Rajinder Yadav (rajinder-yadav) wrote on 2019-10-27:

#3

I just look through those files they are all empty.

I disabled that apparmor profile, like this

sudo ln -s /etc/apparmor.d/usr.bin.certspotter /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.certspotter

If you can tell me how to re-enable this profile correctly, I try to see if the error still exists? and get you those log file hopefully with something inside.

Revision history for this message

Rajinder Yadav (rajinder-yadav) wrote on 2019-10-27:

#4

apparmor-bugreport-85r2z0rd.txt Edit (28.7 KiB, text/plain)

Download full text (28.8 KiB)

I just notice those files were saved as root:

error
Python 3.6.8: /usr/bin/python3
Sat Oct 26 23:08:04 2019

A problem occurred in a Python script. Here is the sequence of
function calls leading up to the error, in the order they occurred.

/usr/sbin/aa-logprof in <module>()
   48
   49 if profiledir:
   50 apparmor.profile_dir = apparmor.get_full_path(profiledir)
   51 if not os.path.isdir(apparmor.profile_dir):
   52 raise apparmor.AppArmorException("%s is not a directory."%profiledir)
   53
   54 apparmor.loadincludes()
   55
   56 apparmor.do_logprof_pass(logmark)
   57
apparmor = <module 'apparmor.aa' from '/usr/lib/python3/dist-packages/apparmor/aa.py'>
apparmor.do_logprof_pass = <function do_logprof_pass>
logmark = ''

/usr/lib/python3/dist-packages/apparmor/aa.py in do_logprof_pass(logmark='', passno=0, log_pid={2701: [[2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::m', 'm'}, '/opt/local/lib/libgcrypt.so.20.2.4', ''], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::m', 'm'}, '/opt/local/lib/libgpg-error.so.0.24.3', ''], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::r', 'r'}, '/var/lib/flatpak/app/org.gimp.GIMP/x86_64/stable...f/export/share/applications/org.gimp.GIMP.desktop', ''], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::r', 'r'}, '/var/lib/flatpak/app/org.gimp.GIMP/x86_64/stable...f/export/share/applications/org.gimp.GIMP.desktop', ''], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING'...

I just notice those files were saved as root:

error
Python 3.6.8: /usr/bin/python3
Sat Oct 26 23:08:04 2019

A problem occurred in a Python script.  Here is the sequence of
function calls leading up to the error, in the order they occurred.

/usr/sbin/aa-logprof in <module>()
   48 
   49 if profiledir:
   50     apparmor.profile_dir = apparmor.get_full_path(profiledir)
   51     if not os.path.isdir(apparmor.profile_dir):
   52         raise apparmor.AppArmorException("%s is not a directory."%profiledir)
   53 
   54 apparmor.loadincludes()
   55 
   56 apparmor.do_logprof_pass(logmark)
   57 
apparmor = <module 'apparmor.aa' from '/usr/lib/python3/dist-packages/apparmor/aa.py'>
apparmor.do_logprof_pass = <function do_logprof_pass>
logmark = ''

/usr/lib/python3/dist-packages/apparmor/aa.py in do_logprof_pass(logmark='', passno=0, log_pid={2701: [[2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::m', 'm'}, '/opt/local/lib/libgcrypt.so.20.2.4', ''], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::m', 'm'}, '/opt/local/lib/libgpg-error.so.0.24.3', ''], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::r', 'r'}, '/var/lib/flatpak/app/org.gimp.GIMP/x86_64/stable...f/export/share/applications/org.gimp.GIMP.desktop', ''], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::r', 'r'}, '/var/lib/flatpak/app/org.gimp.GIMP/x86_64/stable...f/export/share/applications/org.gimp.GIMP.desktop', ''], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [2701, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}']], 2762: [[2762, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'a', 'w'}, '/proc/2762/uid_map', ''], [2762, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'a', 'w'}, '/proc/2762/setgroups', ''], [2762, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'a', 'w'}, '/proc/2762/gid_map', ''], [2762, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::m', 'm'}, '/opt/local/lib/libgcrypt.so.20.2.4', ''], [2762, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::m', 'm'}, '/opt/local/lib/libgpg-error.so.0.24.3', '']], 2826: [[2826, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'a', 'w'}, '/proc/2826/uid_map', ''], [2826, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'a', 'w'}, '/proc/2826/setgroups', ''], [2826, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'a', 'w'}, '/proc/2826/gid_map', ''], [2826, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::m', 'm'}, '/opt/local/lib/libgcrypt.so.20.2.4', ''], [2826, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::m', 'm'}, '/opt/local/lib/libgpg-error.so.0.24.3', '']], 2903: [[2903, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'a', 'w'}, '/proc/2903/uid_map', ''], [2903, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'a', 'w'}, '/proc/2903/setgroups', ''], [2903, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'a', 'w'}, '/proc/2903/gid_map', ''], [2903, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::m', 'm'}, '/opt/local/lib/libgcrypt.so.20.2.4', ''], [2903, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::m', 'm'}, '/opt/local/lib/libgpg-error.so.0.24.3', '']], 2957: [[2957, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'a', 'w'}, '/proc/2957/uid_map', ''], [2957, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'a', 'w'}, '/proc/2957/setgroups', ''], [2957, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'a', 'w'}, '/proc/2957/gid_map', ''], [2957, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::m', 'm'}, '/opt/local/lib/libgcrypt.so.20.2.4', ''], [2957, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::m', 'm'}, '/opt/local/lib/libgpg-error.so.0.24.3', '']], 3024: [[3024, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'a', 'w'}, '/proc/3024/uid_map', ''], [3024, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'a', 'w'}, '/proc/3024/setgroups', ''], [3024, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'a', 'w'}, '/proc/3024/gid_map', ''], [3024, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::m', 'm'}, '/opt/local/lib/libgcrypt.so.20.2.4', ''], [3024, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::m', 'm'}, '/opt/local/lib/libgpg-error.so.0.24.3', '']], 3568: [[3568, 'libreoffice-soffice', 'libreoffice-soffice', 'HINT', 'PERMITTING', {'::r', 'r'}, '/opt/local/lib/libassuan.so.0.8.3', ''], [3568, 'libreoffice-soffice', 'libreoffice-soffice', 'HINT', 'PERMITTING', {'::m', '::r', 'm', 'r'}, '/opt/local/lib/libassuan.so.0.8.3', ''], [3568, 'libreoffice-soffice', 'libreoffice-soffice', 'HINT', 'PERMITTING', {'::r', 'r'}, '/opt/local/lib/libgpg-error.so.0.24.3', ''], [3568, 'libreoffice-soffice', 'libreoffice-soffice', 'HINT', 'PERMITTING', {'::m', '::r', 'm', 'r'}, '/opt/local/lib/libgpg-error.so.0.24.3', ''], [3568, 'libreoffice-soffice', 'libreoffice-soffice', 'HINT', 'PERMITTING', {'::r', 'r'}, '/opt/local/lib/libgcrypt.so.20.2.4', ''], [3568, 'libreoffice-soffice', 'libreoffice-soffice', 'HINT', 'PERMITTING', {'::m', '::r', 'm', 'r'}, '/opt/local/lib/libgcrypt.so.20.2.4', '']], 3589: [[3589, 'libreoffice-soffice', 'libreoffice-soffice', 'HINT', 'PERMITTING', {'::r', 'r'}, '/usr/share/drirc.d/00-mesa-defaults.conf', ''], [3589, 'libreoffice-soffice', 'libreoffice-soffice', 'HINT', 'PERMITTING', {'::r', 'r'}, '/usr/share/drirc.d/00-mesa-defaults.conf', ''], [3589, 'libreoffice-soffice', 'libreoffice-soffice', 'HINT', 'PERMITTING', {'::r', 'r'}, '/usr/share/drirc.d/00-mesa-defaults.conf', ''], [3589, 'libreoffice-soffice', 'libreoffice-soffice', 'HINT', 'PERMITTING', {'::r', 'r'}, '/usr/share/drirc.d/00-mesa-defaults.conf', ''], [3589, 'libreoffice-soffice', 'libreoffice-soffice', 'HINT', 'PERMITTING', {'::r', 'r'}, '/usr/share/drirc.d/00-mesa-defaults.conf', ''], [3589, 'libreoffice-soffice', 'libreoffice-soffice', 'HINT', 'PERMITTING', {'::r', 'r'}, '/usr/share/libdrm/amdgpu.ids', ''], [3589, 'libreoffice-soffice', 'libreoffice-soffice', 'HINT', 'PERMITTING', {'a', 'r', 'w'}, '/home/yadav/.cache/mesa_shader_cache/index', '']], 3672: [[3672, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::m', 'm'}, '/opt/local/lib/libgcrypt.so.20.2.4', ''], [3672, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::m', 'm'}, '/opt/local/lib/libgpg-error.so.0.24.3', ''], [3672, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::r', 'r'}, '/var/lib/flatpak/app/org.gimp.GIMP/x86_64/stable...f/export/share/applications/org.gimp.GIMP.desktop', ''], [3672, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::r', 'r'}, '/var/lib/flatpak/app/org.gimp.GIMP/x86_64/stable...f/export/share/applications/org.gimp.GIMP.desktop', ''], [3672, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [3672, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [3672, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [3672, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [3672, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [3672, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [3672, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [3672, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [3672, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [3672, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [3672, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [3672, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [3672, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [3672, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], [3672, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'k'}, '/home/yadav/.mozilla/firefox/6pnaui5n.default-release/mediacapabilities/lock.mdb', ''], [3672, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', 'trace', '/usr/lib/firefox/firefox{,*[^s][^h]}'], ...], 4074: [[4074, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'a', 'w'}, '/proc/4074/uid_map', ''], [4074, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'a', 'w'}, '/proc/4074/setgroups', ''], [4074, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'a', 'w'}, '/proc/4074/gid_map', ''], [4074, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::m', 'm'}, '/opt/local/lib/libgcrypt.so.20.2.4', ''], [4074, '/usr/lib/firefox/firefox{,*[^s][^h]}', '/usr/lib/firefox/firefox{,*[^s][^h]}', 'HINT', 'PERMITTING', {'::m', 'm'}, '/opt/local/lib/libgpg-error.so.0.24.3', '']], ...})
 1814         #log[root] = handle_children('', '', log[root])
 1815     #print(log)
 1816     for pid in sorted(profile_changes.keys()):
 1817         set_process(pid, profile_changes[pid])
 1818 
 1819     log_dict = collapse_log()
 1820 
 1821     ask_the_questions(log_dict)
 1822 
 1823     finishing = False
log_dict undefined
global collapse_log = <function collapse_log>

/usr/lib/python3/dist-packages/apparmor/aa.py in collapse_log()
 2006 
 2007                 ptrace = prelog[aamode][profile][hat]['ptrace']
 2008                 for peer in ptrace.keys():
 2009                     for access in ptrace[peer].keys():
 2010                         ptrace_event = PtraceRule(access, peer, log_event=True)
 2011                         if not is_known_rule(aa[profile][hat], 'ptrace', ptrace_event):
 2012                             log_dict[aamode][profile][hat]['ptrace'].add(ptrace_event)
 2013 
 2014                 sig = prelog[aamode][profile][hat]['signal']
 2015                 for peer in sig.keys():
global is_known_rule = <function is_known_rule>
global aa = defaultdict(<function hasher at 0x7f53c27198c8>,...rage.ProfileStorage object at 0x7f53c0b9cba8>})})
profile = '/usr/lib/firefox/firefox{,*[^s][^h]}'
hat = '/usr/lib/firefox/firefox{,*[^s][^h]}'
ptrace_event = <PtraceRule> ptrace trace peer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},

/usr/lib/python3/dist-packages/apparmor/aa.py in is_known_rule(profile=<apparmor.profile_storage.ProfileStorage object>, rule_type='ptrace', rule_obj=<PtraceRule> ptrace trace peer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},)
 3366     original_aa[profile] = deepcopy(aa[profile])
 3367 
 3368 def is_known_rule(profile, rule_type, rule_obj):
 3369     # XXX get rid of get() checks after we have a proper function to initialize a profile
 3370     if profile.get(rule_type, False):
 3371         if profile[rule_type].is_covered(rule_obj, False):
 3372             return True
 3373 
 3374     includelist = list(profile['include'].keys())
 3375     checked = []
profile = <apparmor.profile_storage.ProfileStorage object>
rule_type = 'ptrace'
].is_covered undefined
rule_obj = <PtraceRule> ptrace trace peer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},

/usr/lib/python3/dist-packages/apparmor/rule/__init__.py in is_covered(self=<PtraceRuleset>
  ptrace trace peer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},
</PtraceRuleset>, rule=<PtraceRule> ptrace trace peer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},, check_allow_deny=False, check_audit=False)
  413 
  414     def is_covered(self, rule, check_allow_deny=True, check_audit=False):
  415         '''return True if rule is covered by existing rules, otherwise False'''
  416 
  417         for r in self.rules:
  418             if r.is_covered(rule, check_allow_deny, check_audit):
  419                 return True
  420 
  421         return False
  422 
r = <PtraceRule> ptrace trace peer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},
r.is_covered = <bound method BaseRule.is_covered of <PtraceRule...eer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},>
rule = <PtraceRule> ptrace trace peer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},
check_allow_deny = False
check_audit = False

/usr/lib/python3/dist-packages/apparmor/rule/__init__.py in is_covered(self=<PtraceRule> ptrace trace peer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},, other_rule=<PtraceRule> ptrace trace peer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},, check_allow_deny=False, check_audit=False)
  153 
  154         if other_rule.audit and not self.audit:
  155             return False
  156 
  157         # still here? -> then the common part is covered, check rule-specific things now
  158         return self.is_covered_localvars(other_rule)
  159 
  160     # @abstractmethod  FIXME - uncomment when python3 only
  161     def is_covered_localvars(self, other_rule):
  162         '''check if the rule-specific parts of other_rule is covered by this rule object'''
self = <PtraceRule> ptrace trace peer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},
self.is_covered_localvars = <bound method PtraceRule.is_covered_localvars of...eer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},>
other_rule = <PtraceRule> ptrace trace peer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},

/usr/lib/python3/dist-packages/apparmor/rule/ptrace.py in is_covered_localvars(self=<PtraceRule> ptrace trace peer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},, other_rule=<PtraceRule> ptrace trace peer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},)
  136         '''check if other_rule is covered by this rule object'''
  137 
  138         if not self._is_covered_list(self.access, self.all_access, other_rule.access, other_rule.all_access, 'access'):
  139             return False
  140 
  141         if not self._is_covered_aare_compat(self.peer, self.all_peers, other_rule.peer, other_rule.all_peers, 'peer'):
  142             return False
  143 
  144         # still here? -> then it is covered
  145         return True
self = <PtraceRule> ptrace trace peer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},
self._is_covered_aare_compat = <bound method BaseRule._is_covered_aare_compat o...eer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},>
self.peer = AARE('/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\}')
self.all_peers = False
other_rule = <PtraceRule> ptrace trace peer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},
other_rule.peer = AARE('/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\}')
other_rule.all_peers = False

/usr/lib/python3/dist-packages/apparmor/rule/__init__.py in _is_covered_aare_compat(self=<PtraceRule> ptrace trace peer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},, self_value=AARE('/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\}'), self_all=False, other_value=r'/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\}', other_all=False, cond_name='peer')
  197            Note: this function checks against other_value.regex, which is not really correct, but avoids overly strict results when matching one regex against another
  198         '''
  199         if type(other_value) == AARE:
  200            other_value = other_value.regex
  201 
  202         return self._is_covered_aare(self_value, self_all, other_value, other_all, cond_name)
  203 
  204     def _is_covered_aare(self, self_value, self_all, other_value, other_all, cond_name):
  205         '''check if other_* is covered by self_* - for AARE'''
  206 
self = <PtraceRule> ptrace trace peer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},
self._is_covered_aare = <bound method BaseRule._is_covered_aare of <Ptra...eer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},>
self_value = AARE('/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\}')
self_all = False
other_value = r'/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\}'
other_all = False
cond_name = 'peer'

/usr/lib/python3/dist-packages/apparmor/rule/__init__.py in _is_covered_aare(self=<PtraceRule> ptrace trace peer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},, self_value=AARE('/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\}'), self_all=False, other_value=r'/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\}', other_all=False, cond_name='peer')
  208             raise AppArmorBug('No %(cond_name)s specified in other %(rule_name)s rule' % {'cond_name': cond_name, 'rule_name': self.rule_name})
  209 
  210         if not self_all:
  211             if other_all:
  212                 return False
  213             if not self_value.match(other_value):
  214                 return False
  215 
  216         # still here? -> then it is covered
  217         return True
self_value = AARE('/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\}')
self_value.match = <bound method AARE.match of AARE('/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\}')>
other_value = r'/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\}'

/usr/lib/python3/dist-packages/apparmor/aare.py in match(self=AARE('/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\}'), expression=r'/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\}')
   70                 return self.is_equal(expression)  # better safe than sorry
   71         elif not type_is_str(expression):
   72             raise AppArmorBug('AARE.match() called with unknown object: %s' % str(expression))
   73 
   74         if self._regex_compiled is None:
   75             self._regex_compiled = re.compile(convert_regexp(self.regex))
   76 
   77         return bool(self._regex_compiled.match(expression))
   78 
   79     def is_equal(self, expression):
self = AARE('/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\}')
self._regex_compiled = None
global re = <module 're' from '/usr/lib/python3.6/re.py'>
re.compile = <function compile>
global convert_regexp = <function convert_regexp>
self.regex = r'/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\}'

/usr/lib/python3.6/re.py in compile(pattern='^/usr/lib/firefox/firefox\$|\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))\\[^s\\]\\[^h\\]\$$', flags=0)
  228     Empty matches are included in the result."""
  229     return _compile(pattern, flags).finditer(string)
  230 
  231 def compile(pattern, flags=0):
  232     "Compile a regular expression pattern, returning a pattern object."
  233     return _compile(pattern, flags)
  234 
  235 def purge():
  236     "Clear the regular expression caches"
  237     _cache.clear()
global _compile = <function _compile>
pattern = '^/usr/lib/firefox/firefox\$|\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))\\[^s\\]\\[^h\\]\$$'
flags = 0

/usr/lib/python3.6/re.py in _compile(pattern='^/usr/lib/firefox/firefox\$|\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))\\[^s\\]\\[^h\\]\$$', flags=0)
  296             raise ValueError(
  297                 "cannot process flags argument with a compiled pattern")
  298         return pattern
  299     if not sre_compile.isstring(pattern):
  300         raise TypeError("first argument must be string or compiled pattern")
  301     p = sre_compile.compile(pattern, flags)
  302     if not (flags & DEBUG):
  303         if len(_cache) >= _MAXCACHE:
  304             _cache.clear()
  305         if p.flags & LOCALE:
p undefined
global sre_compile = <module 'sre_compile' from '/usr/lib/python3.6/sre_compile.py'>
sre_compile.compile = <function compile>
pattern = '^/usr/lib/firefox/firefox\$|\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))\\[^s\\]\\[^h\\]\$$'
flags = 0

/usr/lib/python3.6/sre_compile.py in compile(p='^/usr/lib/firefox/firefox\$|\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))\\[^s\\]\\[^h\\]\$$', flags=0)
  557 def compile(p, flags=0):
  558     # internal: convert pattern list to internal format
  559 
  560     if isstring(p):
  561         pattern = p
  562         p = sre_parse.parse(p, flags)
  563     else:
  564         pattern = None
  565 
  566     code = _code(p, flags)
p = '^/usr/lib/firefox/firefox\$|\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))\\[^s\\]\\[^h\\]\$$'
global sre_parse = <module 'sre_parse' from '/usr/lib/python3.6/sre_parse.py'>
sre_parse.parse = <function parse>
flags = 0

/usr/lib/python3.6/sre_parse.py in parse(str='^/usr/lib/firefox/firefox\$|\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))\\[^s\\]\\[^h\\]\$$', flags=0, pattern=<sre_parse.Pattern object>)
  864 
  865     p.pattern.flags = fix_flags(str, p.pattern.flags)
  866 
  867     if source.next is not None:
  868         assert source.next == ")"
  869         raise source.error("unbalanced parenthesis")
  870 
  871     if flags & SRE_FLAG_DEBUG:
  872         p.dump()
  873 
source = <sre_parse.Tokenizer object>
source.error = <bound method Tokenizer.error of <sre_parse.Tokenizer object>>
error: unbalanced parenthesis at position 59
    __cause__ = None
    __class__ = <class 'sre_constants.error'>
    __context__ = None
    __delattr__ = <method-wrapper '__delattr__' of error object>
    __dict__ = {'colno': 60, 'lineno': 1, 'msg': 'unbalanced parenthesis', 'pattern': '^/usr/lib/firefox/firefox\$|\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))\\[^s\\]\\[^h\\]\$$', 'pos': 59}
    __dir__ = <built-in method __dir__ of error object>
    __doc__ = 'Exception raised for invalid regular expressions...he column corresponding to pos (may be None)\n    '
    __eq__ = <method-wrapper '__eq__' of error object>
    __format__ = <built-in method __format__ of error object>
    __ge__ = <method-wrapper '__ge__' of error object>
    __getattribute__ = <method-wrapper '__getattribute__' of error object>
    __gt__ = <method-wrapper '__gt__' of error object>
    __hash__ = <method-wrapper '__hash__' of error object>
    __init__ = <bound method error.__init__ of error('unbalanced parenthesis at position 59',)>
    __init_subclass__ = <built-in method __init_subclass__ of type object>
    __le__ = <method-wrapper '__le__' of error object>
    __lt__ = <method-wrapper '__lt__' of error object>
    __module__ = 'sre_constants'
    __ne__ = <method-wrapper '__ne__' of error object>
    __new__ = <built-in method __new__ of type object>
    __reduce__ = <built-in method __reduce__ of error object>
    __reduce_ex__ = <built-in method __reduce_ex__ of error object>
    __repr__ = <method-wrapper '__repr__' of error object>
    __setattr__ = <method-wrapper '__setattr__' of error object>
    __setstate__ = <built-in method __setstate__ of error object>
    __sizeof__ = <built-in method __sizeof__ of error object>
    __str__ = <method-wrapper '__str__' of error object>
    __subclasshook__ = <built-in method __subclasshook__ of type object>
    __suppress_context__ = False
    __traceback__ = <traceback object>
    __weakref__ = None
    args = ('unbalanced parenthesis at position 59',)
    colno = 60
    lineno = 1
    msg = 'unbalanced parenthesis'
    pattern = '^/usr/lib/firefox/firefox\$|\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))\\[^s\\]\\[^h\\]\$$'
    pos = 59
    with_traceback = <built-in method with_traceback of error object>

The above is a description of an error in a Python program.  Here is
the original traceback:

Traceback (most recent call last):
  File "/usr/sbin/aa-logprof", line 56, in <module>
    apparmor.do_logprof_pass(logmark)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1819, in do_logprof_pass
    log_dict = collapse_log()
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2011, in collapse_log
    if not is_known_rule(aa[profile][hat], 'ptrace', ptrace_event):
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 3371, in is_known_rule
    if profile[rule_type].is_covered(rule_obj, False):
  File "/usr/lib/python3/dist-packages/apparmor/rule/__init__.py", line 418, in is_covered
    if r.is_covered(rule, check_allow_deny, check_audit):
  File "/usr/lib/python3/dist-packages/apparmor/rule/__init__.py", line 158, in is_covered
    return self.is_covered_localvars(other_rule)
  File "/usr/lib/python3/dist-packages/apparmor/rule/ptrace.py", line 141, in is_covered_localvars
    if not self._is_covered_aare_compat(self.peer, self.all_peers, other_rule.peer, other_rule.all_peers, 'peer'):
  File "/usr/lib/python3/dist-packages/apparmor/rule/__init__.py", line 202, in _is_covered_aare_compat
    return self._is_covered_aare(self_value, self_all, other_value, other_all, cond_name)
  File "/usr/lib/python3/dist-packages/apparmor/rule/__init__.py", line 213, in _is_covered_aare
    if not self_value.match(other_value):
  File "/usr/lib/python3/dist-packages/apparmor/aare.py", line 75, in match
    self._regex_compiled = re.compile(convert_regexp(self.regex))
  File "/usr/lib/python3.6/re.py", line 233, in compile
    return _compile(pattern, flags)
  File "/usr/lib/python3.6/re.py", line 301, in _compile
    p = sre_compile.compile(pattern, flags)
  File "/usr/lib/python3.6/sre_compile.py", line 562, in compile
    p = sre_parse.parse(p, flags)
  File "/usr/lib/python3.6/sre_parse.py", line 869, in parse
    raise source.error("unbalanced parenthesis")
sre_constants.error: unbalanced parenthesis at position 59

Please consider reporting a bug at https://bugs.launchpad.net/apparmor/
and attach this file.

Revision history for this message

Rajinder Yadav (rajinder-yadav) wrote on 2019-10-27:

#5

apparmor-bugreport-85r2z0rd.txt Edit (28.7 KiB, text/plain)

Trying to attached again!

Revision history for this message

Rajinder Yadav (rajinder-yadav) wrote on 2019-10-27:

#6

apparmor-bugreport-dspxy0le.txt Edit (28.7 KiB, text/plain)

2nd attachment

Revision history for this message

Rajinder Yadav (rajinder-yadav) wrote on 2019-10-27:

#7

apparmor-bugreport-ky9kneoe.txt Edit (28.7 KiB, text/plain)

3rd attachment

Revision history for this message

Rajinder Yadav (rajinder-yadav) wrote on 2019-10-27:

#8

apparmor-bugreport-qprfnn42.txt Edit (28.7 KiB, text/plain)

final attachment

Revision history for this message

Christian Boltz (cboltz) wrote on 2019-10-27:

#9

Thanks, the logs are helpful :-)

The problem is probably best described with this line from the log:

ptrace_event = <PtraceRule> ptrace trace peer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},

which means something tries to trace firefox, and the firefox profile name explodes when trying to convert it to a regex (needed to check if an additional rule is necessary or if it's already covered by the existing rules).

I have a feeling (confirmed by a quick test with a made-up log line) that this is already fixed in the latest upstream code, but to be really sure, I'll need the original log line.

Can you please run the following and attach the result?

grep firefox /var/log/syslog | grep trace

(I hope I got the logfile name right because I use openSUSE, not Ubuntu ;-) If you have auditd running, please also check /var/log/audit/audit.log. Also, aa-logprof will display the used logfile on startup.)

You should see something like

type=AVC msg=audit(1409700683.304:547661): apparmor="DENIED" operation="ptrace" profile="/what/ever" pid=22465 comm="ptrace" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"

To answer your question from comment #3:
> I disabled that apparmor profile, like this
>
> sudo ln -s /etc/apparmor.d/usr.bin.certspotter /etc/apparmor.d/disable/
> sudo apparmor_parser -R /etc/apparmor.d/usr.bin.certspotter

That was mostly correct, except that you should run apparmor_parser -R first (when the disable symlink exists, apparmor_parser might skip unloading the profile).

You could also simply use aa-disable /etc/apparmor.d/usr.bin.certspotter
which unloads the profile and creates the disable symlink.

> If you can tell me how to re-enable this profile correctly, I try to see if the error
> still exists? and get you those log file hopefully with something inside.

Use one of these:

aa-enforce /etc/apparmor.d/usr.bin.certspotter # enable profile in enforce mode

aa-complain /etc/apparmor.d/usr.bin.certspotter # enable profile in complain mode

Both will delete the disable symlink and load the profile into the kernel.

Thanks, the logs are helpful :-)

The problem is probably best described with this line from the log:

ptrace_event = <PtraceRule> ptrace trace peer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},

which means something tries to trace firefox, and the firefox profile name explodes when trying to convert it to a regex (needed to check if an additional rule is necessary or if it's already covered by the existing rules).

I have a feeling (confirmed by a quick test with a made-up log line) that this is already fixed in the latest upstream code, but to be really sure, I'll need the original log line.

Can you please run the following and attach the result?

grep firefox /var/log/syslog | grep trace

(I hope I got the logfile name right because I use openSUSE, not Ubuntu ;-) If you have auditd running, please also check /var/log/audit/audit.log. Also, aa-logprof will display the used logfile on startup.)

You should see something like

type=AVC msg=audit(1409700683.304:547661): apparmor="DENIED" operation="ptrace" profile="/what/ever" pid=22465 comm="ptrace" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"

To answer your question from comment #3:
> I disabled that apparmor profile, like this
> 
> sudo ln -s /etc/apparmor.d/usr.bin.certspotter /etc/apparmor.d/disable/
> sudo apparmor_parser -R /etc/apparmor.d/usr.bin.certspotter

That was mostly correct, except that you should run apparmor_parser -R first (when the disable symlink exists, apparmor_parser might skip unloading the profile).

You could also simply use   aa-disable /etc/apparmor.d/usr.bin.certspotter
which unloads the profile and creates the disable symlink.

> If you can tell me how to re-enable this profile correctly, I try to see if the error 
> still exists? and get you those log file hopefully with something inside.

Use one of these:

aa-enforce /etc/apparmor.d/usr.bin.certspotter   # enable profile in enforce mode

aa-complain /etc/apparmor.d/usr.bin.certspotter  # enable profile in complain mode

Both will delete the disable symlink and load the profile into the kernel.

Revision history for this message

Rajinder Yadav (rajinder-yadav) wrote on 2019-10-28:

#10

Glad the logs were helpful!

The log path you gave me is correct but no ptrace message there. However when those popup alerts were going off, I notice AppArmor was preventing firefox from writing to the log file.

There is no auditd log so I don't think I have it running.

Thanks for those helpful tips on using aa :-D, I will wait for the updates. I believe I just needed an aa profile so I could install and use KVM.

Revision history for this message

Christian Boltz (cboltz) wrote on 2019-10-28:

#11

If you don't have an audit.log, check your normal syslog - AFAIK you'll find it as /var/log/syslog
Seeing the log messages would be helpful to confirm that this bug is really fixed in the latest upstream code, and might also help to convince the Ubuntu maintainers to release an update (these updates are not my job, therefore no promises on this ;-)

Revision history for this message

Zero (zerosan) wrote on 2020-01-12:

#12

apparmor-bugreport-_4rgh9_k.txt Edit (17.7 KiB, text/plain)

This problem is also affecting me as of 01/12/2020 on Ubuntu 18.04. I have attached the generated bug report in case it helps at all.

Revision history for this message

Zero (zerosan) wrote on 2020-01-12:

#13

trace.txt Edit (17.7 KiB, text/plain)

I forgot to include this in my first post, but I have attached the output of "grep firefox /var/log/syslog | grep trace" to this post in case this information is still needed.

AppArmor

aa-logprof error after starting

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches