Ubuntu
apparmor package

Bug #1319829
Comment #7

Comment 7 for bug 1319829

Revision history for this message

Christian Boltz (cboltz) wrote on 2014-05-19:

Interesting news - I'm able to reproduce this now. The trick is to create a new profile:

rm /etc/apparmor.d/usr.bin.true
aa-genprof true
press "s"

I added the print command I proposed, and it fails at the newly created profile - print output:
/etc/apparmor.d/usr.bin.true /usr/bin/true /usr/bin/true

The autodep code fills "filename" with a wrong structure with a level missing.
For comparison see the (heavily formatted) output of print(filelist)

'/etc/apparmor.d/usr.bin.true': defaultdict (
    <function hasher at 0x7f32630b8d08>, {'profiles': defaultdict (
        <function hasher at 0x7f32630b8d08>, {'/usr/bin/true': True}
    ), 'include': defaultdict (
        <function hasher at 0x7f32630b8d08>, {'tunables/global': True}
    )}
),

'/etc/apparmor.d/usr.lib.dovecot.dict': defaultdict (
    <function hasher at 0x7f32630b8d08>, {'profiles': defaultdict (
        <function hasher at 0x7f32630b8d08>, {'/usr/lib/dovecot/dict': defaultdict (
            <function hasher at 0x7f32630b8d08>, {'/usr/lib/dovecot/dict': True}
        )}
    ), 'include': defaultdict (
        <function hasher at 0x7f32630b8d08>, {'tunables/global': True}
    )}
),

(we really need to document the internal structure of our more interesting[tm] variables ;-)

Now that we know what is wrong, fixing it (in aa.py / autodep) is easy - even at 3 am ;-)

Can you please test the following patch?

=== modified file 'utils/apparmor/aa.py'
--- utils/apparmor/aa.py 2014-04-26 11:05:55 +0000
+++ utils/apparmor/aa.py 2014-05-19 00:51:04 +0000
@@ -583,7 +583,8 @@
         if not filelist.get(file, False):
             filelist[file] = hasher()
         filelist[file]['include']['tunables/global'] = True
- filelist[file]['profiles'][pname] = True
+ filelist[file]['profiles'][pname] = hasher()
+ filelist[file]['profiles'][pname][pname] = True
     write_profile_ui_feedback(pname)

def get_profile_flags(filename, program):

Funnily I added the line to blame myself - but without it, autodep was even more buggy ;-) (bzr log -r2396 if you are interested in details)

Interesting news - I'm able to reproduce this now. The trick is to create a new profile:

rm /etc/apparmor.d/usr.bin.true
aa-genprof true
press "s"

I added the print command I proposed, and it fails at the newly created profile - print output:
    /etc/apparmor.d/usr.bin.true /usr/bin/true /usr/bin/true

The autodep code fills "filename" with a wrong structure with a level missing.
For comparison see the (heavily formatted) output of   print(filelist)

(we really need to document the internal structure of our more interesting[tm] variables ;-)

Now that we know what is wrong, fixing it (in aa.py / autodep) is easy - even at 3 am ;-)

Can you please test the following patch?

=== modified file 'utils/apparmor/aa.py'
--- utils/apparmor/aa.py        2014-04-26 11:05:55 +0000
+++ utils/apparmor/aa.py        2014-05-19 00:51:04 +0000
@@ -583,7 +583,8 @@
         if not filelist.get(file, False):
             filelist[file] = hasher()
         filelist[file]['include']['tunables/global'] = True
-        filelist[file]['profiles'][pname] = True
+        filelist[file]['profiles'][pname] = hasher()
+        filelist[file]['profiles'][pname][pname] = True
     write_profile_ui_feedback(pname)
 
 def get_profile_flags(filename, program):

Funnily I added the line to blame myself - but without it, autodep was even more buggy ;-)  (bzr log -r2396 if you are interested in details)

Ubuntuapparmor package

Comment 7 for bug 1319829

Ubuntu
apparmor package