apparmor parser fails due to matchflags not being reset

Bug #1091642 reported by Steve Beattie
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Steve Beattie
Quantal
Fix Released
Undecided
Steve Beattie

Bug Description

The apparmor parser fails when parsing the following policy due to the matchflags in the dfa backend not being reset:

/usr/bin/parent-profile {

  /usr/bin/profile1 Cx -> profile1,
  /usr/bin/profile2 Cx -> profile2,
  /usr/bin/profile3 Cx -> profile3,
  /usr/bin/profile4 Cx -> profile4,
  /usr/bin/profile5 Cx -> profile5,
  /usr/bin/profile6 Cx -> profile6,

  profile profile1 {
  }
  profile profile2 {
  }
  profile profile3 {
  }
  profile profile4 {
    /usr/bin/apt-get Ux,
    /usr/bin/dpkg Ux,
  }
  profile profile5 {
  }
  profile profile6 {
  }
}

like so:

  $ apparmor_parser -Q x-conflict2.sd
  profile has merged rule with conflicting x modifiers
  ERROR processing regexs for profile profile4, failed to load

Revision history for this message
Steve Beattie (sbeattie) wrote :

Attached is a debdiff for raring that addresses the issue. Packages built based on this pass the lp:qa-regression-testsuite apparmor test script. Debdiffs for quantal and precise SRU will follow.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "apparmor_2.8.0-0ubuntu8.debdiff" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Revision history for this message
Steve Beattie (sbeattie) wrote :

And here is the quantal debdiff, which also passes the lp:qa-regression-testing apparmor script.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.0-0ubuntu9

---------------
apparmor (2.8.0-0ubuntu9) raring; urgency=low

  * debian/control: make libnotify-bin a Suggests rather than a Recommends
    since it is assumed to already be installed on the desktop and so server
    environments don't have to pull in a lot of X dependencies (LP: #1061879)

apparmor (2.8.0-0ubuntu8) raring; urgency=low

  [ Steve Beattie ]
  * 0024-lp1091642-parser-reset_matchflags.patch: prevent reuse of
    matchflags in parser dfa backend and add testcase demonstrating the
    problem (LP: #1091642)

  [ Jamie Strandboge ]
  * debian/debhelper/postinst-apparmor: quote all occurences of #PROFILE#.
 -- Jamie Strandboge <email address hidden> Tue, 18 Dec 2012 10:47:50 -0600

Changed in apparmor (Ubuntu):
status: New → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I uploaded Steve's quantal debdiff to quantal-proposed and also fixed bug #1091862 in that upload.

Changed in apparmor (Ubuntu Quantal):
assignee: nobody → Steve Beattie (sbeattie)
status: New → In Progress
Changed in apparmor (Ubuntu Precise):
assignee: nobody → Steve Beattie (sbeattie)
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Steve, now that this is fixed in raring, can you prepare the SRU application then subscribe ubuntu-sru?

Revision history for this message
Colin Watson (cjwatson) wrote : Please test proposed package

Hello Steve, or anyone else affected,

Accepted apparmor into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/apparmor/2.8.0-0ubuntu5.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in apparmor (Ubuntu Quantal):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Dave Walker (davewalker) wrote :

Hello Steve, or anyone else affected,

Accepted apparmor into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/apparmor/2.7.102-0ubuntu3.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in apparmor (Ubuntu Precise):
status: Triaged → Fix Committed
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Confirmed that this is fixed with apparmor in precise-proposed.

tags: added: verification-done
removed: verification-needed
tags: added: verification-done-precise verification-needed
removed: verification-done
Revision history for this message
Sebastien Bacher (seb128) wrote :

verified that the update fix the issue on the example (on quantal)

tags: added: verification-done-quantal
removed: verification-needed
Revision history for this message
Scott Kitterman (kitterman) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.0-0ubuntu5.1

---------------
apparmor (2.8.0-0ubuntu5.1) quantal-proposed; urgency=low

  [ Steve Beattie ]
  * 0023-lp1091642-parser-reset_matchflags.patch: prevent reuse of
    matchflags in parser dfa backend and add testcase demonstrating the
    problem (LP: #1091642)

  [ Jamie Strandboge ]
  * debian/patches/0001-add-chromium-browser.patch: add accesses for chromium
    23 (LP: #1091862)
  * debian/patches/0024-fix-racy-onexec-test.patch: fix race in onexec.sh
    kernel regression test
 -- Steve Beattie <email address hidden> Tue, 18 Dec 2012 05:42:58 -0800

Changed in apparmor (Ubuntu Quantal):
status: Fix Committed → Fix Released
Revision history for this message
Seth Arnold (seth-arnold) wrote :
Revision history for this message
Seth Arnold (seth-arnold) wrote :

apparmor 2.7.102-0ubuntu3.8 has been superceded by apparmor 2.7.102-0ubuntu3.9 in -proposed and needs new verification.

tags: added: verification-needed-precise
removed: verification-done-precise
tags: added: verification-done-precise
removed: verification-needed-precise
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.7.102-0ubuntu3.8

---------------
apparmor (2.7.102-0ubuntu3.8) precise-proposed; urgency=low

  * 0022-aa-logprof-PUx_rewrite_fix-lp982619.patch: fix aa-logprof
    rewrite of PUx modes (LP: #982619)
  * 0023-lp1091642-parser-reset_matchflags.patch: prevent reuse of
    matchflags in parser dfa backend and add testcase demonstrating
    the problem (LP: #1091642)
  * 0024-profiles-allow_exo-open-lp987578.patch: allow exo-open to work
    within ubuntu-integration (LP: #987578)
 -- Steve Beattie <email address hidden> Thu, 24 Jan 2013 11:40:48 -0800

Changed in apparmor (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.