[Bug 1733700] Re: python tools do not understand 'non-magic' include rules

Jamie Strandboge Mon, 18 Dec 2017 14:31:19 -0800

** Description changed:

- The apparmor_parser now supports 'include' rules in addition to
- '#include', but the python tools only understand '#include'. This
- manifested itself in Ubuntu in bug #1734038 (see
- https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15
- of that bug for details).
+ The apparmor parser supports 'include' and '#include' rules for
+ specifying absolute paths, but the python tools only understand include
+ rules for so called 'magic' '<>' file locations.
+ 
+ Reproducer:
+ 
+ $ mkdir /tmp/test1 /tmp/test2
+ 
+ $ cat /etc/apparmor.d/lp1733700
+ profile lp1733700 {
+   #include "/tmp/test1"
+   include "/tmp/test2"
+ }
+ 
+ $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
+ 
+ $ sudo aa-enforce /etc/apparmor.d/lp1733700
+ 
+ ERROR: Syntax Error: Missing '}' or ','. Reached end of file
+ /etc/apparmor.d/lp1733700 while inside profile lp1733700Note that the pr
+ 
+ Note that the original description said that changing the rule from
+ 'include' to '#include' fixed the issue when in reality it only allowed
+ the rule to parse as a comment instead of erroring.
+ 
+ = Original description =
+ The apparmor_parser now supports 'include' rules in addition to '#include', 
but the python tools only understand '#include'. This manifested itself in 
Ubuntu in bug #1734038 (see 
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of 
that bug for details).
  
  Reproducer:
  
  $ mkdir /tmp/test
  
  $ cat /etc/apparmor.d/lp1733700
  profile lp1733700 {
-   include "/tmp/test"
+   include "/tmp/test"
  }
  
  $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
  ok
  
  $ sudo aa-enforce /etc/apparmor.d/lp1733700
  ERROR: Syntax Error: Missing '}' or ','. Reached end of file 
/etc/apparmor.d/lp1733700 while inside profile lp1733700
  
  Changing the 'include' to '#include' results in:
- $ sudo aa-enforce /etc/apparmor.d/lp1733700 
+ $ sudo aa-enforce /etc/apparmor.d/lp1733700
  Setting /etc/apparmor.d/lp1733700 to enforce mode.
  
  At least aa-logprof is also affected.
  
  = Original report =
  On Ubuntu artful, I'm seeing the following behavior:
  
-     $ aa-enforce usr.bin.chromium-browser
-     
-     ERROR: Syntax Error: Unknown line found in file 
/etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
-         include "/var/lib/snapd/apparmor/snap-confine.d"   /etc/ld.so.cache r,
+     $ aa-enforce usr.bin.chromium-browser
+ 
+     ERROR: Syntax Error: Unknown line found in file 
/etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
+         include "/var/lib/snapd/apparmor/snap-confine.d"   /etc/ld.so.cache r,
  
  I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
  This is snapd 2.28.5+17.10.


** Description changed:

  The apparmor parser supports 'include' and '#include' rules for
  specifying absolute paths, but the python tools only understand include
  rules for so called 'magic' '<>' file locations.
  
  Reproducer:
  
  $ mkdir /tmp/test1 /tmp/test2
  
  $ cat /etc/apparmor.d/lp1733700
  profile lp1733700 {
-   #include "/tmp/test1"
-   include "/tmp/test2"
+   #include "/tmp/test1"
+   include "/tmp/test2"
  }
  
  $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
  
  $ sudo aa-enforce /etc/apparmor.d/lp1733700
  
  ERROR: Syntax Error: Missing '}' or ','. Reached end of file
- /etc/apparmor.d/lp1733700 while inside profile lp1733700Note that the pr
+ /etc/apparmor.d/lp1733700 while inside profile lp1733700.
  
  Note that the original description said that changing the rule from
  'include' to '#include' fixed the issue when in reality it only allowed
  the rule to parse as a comment instead of erroring.
  
  = Original description =
  The apparmor_parser now supports 'include' rules in addition to '#include', 
but the python tools only understand '#include'. This manifested itself in 
Ubuntu in bug #1734038 (see 
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of 
that bug for details).
  
  Reproducer:
  
  $ mkdir /tmp/test
  
  $ cat /etc/apparmor.d/lp1733700
  profile lp1733700 {
    include "/tmp/test"
  }
  
  $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
  ok
  
  $ sudo aa-enforce /etc/apparmor.d/lp1733700
  ERROR: Syntax Error: Missing '}' or ','. Reached end of file 
/etc/apparmor.d/lp1733700 while inside profile lp1733700
  
  Changing the 'include' to '#include' results in:
  $ sudo aa-enforce /etc/apparmor.d/lp1733700
  Setting /etc/apparmor.d/lp1733700 to enforce mode.
  
  At least aa-logprof is also affected.
  
  = Original report =
  On Ubuntu artful, I'm seeing the following behavior:
  
      $ aa-enforce usr.bin.chromium-browser
  
      ERROR: Syntax Error: Unknown line found in file 
/etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
          include "/var/lib/snapd/apparmor/snap-confine.d"   /etc/ld.so.cache r,
  
  I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
  This is snapd 2.28.5+17.10.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1733700

Title:
  python tools do not understand 'non-magic' include rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1733700/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1733700] Re: python tools do not understand 'non-magic' include rules

Reply via email to