AppArmor

Bug #1850013
Comment #9

Comment 9 for bug 1850013

Revision history for this message

Christian Boltz (cboltz) wrote on 2019-10-27:

Thanks, the logs are helpful :-)

The problem is probably best described with this line from the log:

ptrace_event = <PtraceRule> ptrace trace peer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},

which means something tries to trace firefox, and the firefox profile name explodes when trying to convert it to a regex (needed to check if an additional rule is necessary or if it's already covered by the existing rules).

I have a feeling (confirmed by a quick test with a made-up log line) that this is already fixed in the latest upstream code, but to be really sure, I'll need the original log line.

Can you please run the following and attach the result?

grep firefox /var/log/syslog | grep trace

(I hope I got the logfile name right because I use openSUSE, not Ubuntu ;-) If you have auditd running, please also check /var/log/audit/audit.log. Also, aa-logprof will display the used logfile on startup.)

You should see something like

type=AVC msg=audit(1409700683.304:547661): apparmor="DENIED" operation="ptrace" profile="/what/ever" pid=22465 comm="ptrace" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"

To answer your question from comment #3:
> I disabled that apparmor profile, like this
>
> sudo ln -s /etc/apparmor.d/usr.bin.certspotter /etc/apparmor.d/disable/
> sudo apparmor_parser -R /etc/apparmor.d/usr.bin.certspotter

That was mostly correct, except that you should run apparmor_parser -R first (when the disable symlink exists, apparmor_parser might skip unloading the profile).

You could also simply use aa-disable /etc/apparmor.d/usr.bin.certspotter
which unloads the profile and creates the disable symlink.

> If you can tell me how to re-enable this profile correctly, I try to see if the error
> still exists? and get you those log file hopefully with something inside.

Use one of these:

aa-enforce /etc/apparmor.d/usr.bin.certspotter # enable profile in enforce mode

aa-complain /etc/apparmor.d/usr.bin.certspotter # enable profile in complain mode

Both will delete the disable symlink and load the profile into the kernel.

Thanks, the logs are helpful :-)

The problem is probably best described with this line from the log:

ptrace_event = <PtraceRule> ptrace trace peer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},

I have a feeling (confirmed by a quick test with a made-up log line) that this is already fixed in the latest upstream code, but to be really sure, I'll need the original log line.

Can you please run the following and attach the result?

grep firefox /var/log/syslog | grep trace

You should see something like

To answer your question from comment #3:
> I disabled that apparmor profile, like this
> 
> sudo ln -s /etc/apparmor.d/usr.bin.certspotter /etc/apparmor.d/disable/
> sudo apparmor_parser -R /etc/apparmor.d/usr.bin.certspotter

That was mostly correct, except that you should run apparmor_parser -R first (when the disable symlink exists, apparmor_parser might skip unloading the profile).

You could also simply use   aa-disable /etc/apparmor.d/usr.bin.certspotter
which unloads the profile and creates the disable symlink.

> If you can tell me how to re-enable this profile correctly, I try to see if the error 
> still exists? and get you those log file hopefully with something inside.

Use one of these:

aa-enforce /etc/apparmor.d/usr.bin.certspotter   # enable profile in enforce mode

aa-complain /etc/apparmor.d/usr.bin.certspotter  # enable profile in complain mode

Both will delete the disable symlink and load the profile into the kernel.