Debdiff of upstream patch ** Patch added: "lp_2078467_noble.debdiff" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2078467/+attachment/5865934/+files/lp_2078467_noble.debdiff
** Summary changed: - aa-enforce /etc/apparmor.d/* - Error + [SRU] App armor crashes on aa-enforce due to "Profile not found" ** Description changed: ***** SRU TEMPLATE AT THE BOTTOM ***** Executing "aa-enforce /etc/apparmor.d/*" does not work on Ubuntu 24.04. There is already an upstream fix (https://gitlab.com/apparmor/apparmor/-/merge_requests/1218/diffs?commit_id=6f9e841e74f04cac78da71fd2e8af3f973af94fc). Suspect more will run into this issue now when the CIS Benchmark for Ubuntu 24.04 was released this week. Description: Ubuntu 24.04.1 LTS Release: 24.04 ----------------------------------- root@ubuntu2404:/etc/apparmor.d# dpkg -l |grep apparmor ii apparmor 4.0.1really4.0.0-beta3-0ubuntu0.1 amd64 user-space parser utility for AppArmor ii apparmor-profiles 4.0.1really4.0.0-beta3-0ubuntu0.1 all experimental profiles for AppArmor security policies ii apparmor-utils 4.0.1really4.0.0-beta3-0ubuntu0.1 all utilities for controlling AppArmor ii libapparmor1:amd64 4.0.1really4.0.0-beta3-0ubuntu0.1 amd64 changehat AppArmor library ii python3-apparmor 4.0.1really4.0.0-beta3-0ubuntu0.1 all AppArmor Python3 utility library ii python3-libapparmor 4.0.1really4.0.0-beta3-0ubuntu0.1 amd64 AppArmor library Python3 bindings ----------------------------------- ----------------------------------- root@ubuntu2404:/etc/apparmor.d# aa-enforce /etc/apparmor.d/* Setting /etc/apparmor.d/1password to enforce mode. Traceback (most recent call last): File "/usr/sbin/aa-enforce", line 33, in <module> tool.cmd_enforce() File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 134, in cmd_enforce for (program, prof_filename, output_name) in self.get_next_for_modechange(): File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 97, in get_next_for_modechange aaui.UI_Info(_('Profile for %s not found, skipping') % output_name) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ TypeError: 'NoneType' object is not callable An unexpected error occurred! For details, see /tmp/apparmor-bugreport-yi5o6kwm.txt Please consider reporting a bug at https://gitlab.com/apparmor/apparmor/-/issues and attach this file. ------------------------------------- Workaround is to edit /usr/lib/python3/dist-packages/apparmor/tools.py as the upstream fix suggests. - for (program, _, prof_filename) in self.get_next_to_profile(): + for (program, _ignored, prof_filename) in self.get_next_to_profile(): - for (program, _, prof_filename) in self.get_next_to_profile(): + for (program, _ignored, prof_filename) in self.get_next_to_profile(): Then it works: root@ubuntu2404:/etc/apparmor.d# vim /usr/lib/python3/dist-packages/apparmor/tools.py root@ubuntu2404:/etc/apparmor.d# aa-enforce /etc/apparmor.d/* Setting /etc/apparmor.d/1password to enforce mode. Profile for /etc/apparmor.d/abi not found, skipping Profile for /etc/apparmor.d/abstractions not found, skipping Profile for /etc/apparmor.d/apache2.d not found, skipping Setting /etc/apparmor.d/bin.ping to enforce mode. Setting /etc/apparmor.d/brave to enforce mode. Setting /etc/apparmor.d/buildah to enforce mode. Setting /etc/apparmor.d/busybox to enforce mode. Setting /etc/apparmor.d/cam to enforce mode. Setting /etc/apparmor.d/ch-checkns to enforce mode. Setting /etc/apparmor.d/chrome to enforce mode. Setting /etc/apparmor.d/ch-run to enforce mode. Setting /etc/apparmor.d/code to enforce mode. Setting /etc/apparmor.d/crun to enforce mode. Setting /etc/apparmor.d/devhelp to enforce mode. Profile for /etc/apparmor.d/disable not found, skipping Setting /etc/apparmor.d/Discord to enforce mode. Setting /etc/apparmor.d/element-desktop to enforce mode. Setting /etc/apparmor.d/epiphany to enforce mode. Setting /etc/apparmor.d/evolution to enforce mode. Setting /etc/apparmor.d/firefox to enforce mode. Setting /etc/apparmor.d/flatpak to enforce mode. Profile for /etc/apparmor.d/force-complain not found, skipping Setting /etc/apparmor.d/geary to enforce mode. Setting /etc/apparmor.d/github-desktop to enforce mode. Setting /etc/apparmor.d/goldendict to enforce mode. Setting /etc/apparmor.d/ipa_verify to enforce mode. Setting /etc/apparmor.d/kchmviewer to enforce mode. Setting /etc/apparmor.d/keybase to enforce mode. Setting /etc/apparmor.d/lc-compliance to enforce mode. Setting /etc/apparmor.d/libcamerify to enforce mode. Setting /etc/apparmor.d/linux-sandbox to enforce mode. Profile for /etc/apparmor.d/local not found, skipping Setting /etc/apparmor.d/loupe to enforce mode. Setting /etc/apparmor.d/lsb_release to enforce mode. Setting /etc/apparmor.d/lxc-attach to enforce mode. Setting /etc/apparmor.d/lxc-create to enforce mode. Setting /etc/apparmor.d/lxc-destroy to enforce mode. Setting /etc/apparmor.d/lxc-execute to enforce mode. Setting /etc/apparmor.d/lxc-stop to enforce mode. Setting /etc/apparmor.d/lxc-unshare to enforce mode. Setting /etc/apparmor.d/lxc-usernsexec to enforce mode. Setting /etc/apparmor.d/mmdebstrap to enforce mode. Setting /etc/apparmor.d/MongoDB_Compass to enforce mode. Setting /etc/apparmor.d/msedge to enforce mode. Setting /etc/apparmor.d/nautilus to enforce mode. Setting /etc/apparmor.d/notepadqq to enforce mode. Setting /etc/apparmor.d/nvidia_modprobe to enforce mode. Setting /etc/apparmor.d/obsidian to enforce mode. Setting /etc/apparmor.d/opam to enforce mode. Setting /etc/apparmor.d/opera to enforce mode. Setting /etc/apparmor.d/pageedit to enforce mode. Setting /etc/apparmor.d/php-fpm to enforce mode. Setting /etc/apparmor.d/plasmashell to enforce mode. Setting /etc/apparmor.d/podman to enforce mode. Setting /etc/apparmor.d/polypane to enforce mode. Setting /etc/apparmor.d/privacybrowser to enforce mode. Setting /etc/apparmor.d/qcam to enforce mode. Setting /etc/apparmor.d/qmapshack to enforce mode. Setting /etc/apparmor.d/QtWebEngineProcess to enforce mode. Setting /etc/apparmor.d/qutebrowser to enforce mode. Setting /etc/apparmor.d/rootlesskit to enforce mode. Setting /etc/apparmor.d/rpm to enforce mode. Setting /etc/apparmor.d/rssguard to enforce mode. Profile for /etc/apparmor.d/rsyslog.d not found, skipping Setting /etc/apparmor.d/runc to enforce mode. Setting /etc/apparmor.d/samba-bgqd to enforce mode. Setting /etc/apparmor.d/samba-dcerpcd to enforce mode. Setting /etc/apparmor.d/samba-rpcd to enforce mode. Setting /etc/apparmor.d/samba-rpcd-classic to enforce mode. Setting /etc/apparmor.d/samba-rpcd-spoolss to enforce mode. Setting /etc/apparmor.d/sbin.klogd to enforce mode. Setting /etc/apparmor.d/sbin.syslogd to enforce mode. Setting /etc/apparmor.d/sbin.syslog-ng to enforce mode. Setting /etc/apparmor.d/sbuild to enforce mode. Setting /etc/apparmor.d/sbuild-abort to enforce mode. Setting /etc/apparmor.d/sbuild-adduser to enforce mode. Setting /etc/apparmor.d/sbuild-apt to enforce mode. Setting /etc/apparmor.d/sbuild-checkpackages to enforce mode. Setting /etc/apparmor.d/sbuild-clean to enforce mode. Setting /etc/apparmor.d/sbuild-createchroot to enforce mode. Setting /etc/apparmor.d/sbuild-destroychroot to enforce mode. Setting /etc/apparmor.d/sbuild-distupgrade to enforce mode. Setting /etc/apparmor.d/sbuild-hold to enforce mode. Setting /etc/apparmor.d/sbuild-shell to enforce mode. Setting /etc/apparmor.d/sbuild-unhold to enforce mode. Setting /etc/apparmor.d/sbuild-update to enforce mode. Setting /etc/apparmor.d/sbuild-upgrade to enforce mode. Setting /etc/apparmor.d/scide to enforce mode. Setting /etc/apparmor.d/signal-desktop to enforce mode. Setting /etc/apparmor.d/slack to enforce mode. Setting /etc/apparmor.d/slirp4netns to enforce mode. Setting /etc/apparmor.d/steam to enforce mode. Setting /etc/apparmor.d/stress-ng to enforce mode. Setting /etc/apparmor.d/surfshark to enforce mode. Setting /etc/apparmor.d/systemd-coredump to enforce mode. Setting /etc/apparmor.d/thunderbird to enforce mode. Setting /etc/apparmor.d/toybox to enforce mode. Setting /etc/apparmor.d/trinity to enforce mode. Profile for /etc/apparmor.d/tunables not found, skipping Setting /etc/apparmor.d/tup to enforce mode. Setting /etc/apparmor.d/tuxedo-control-center to enforce mode. Setting /etc/apparmor.d/ubuntu_pro_apt_news to enforce mode. Setting /etc/apparmor.d/ubuntu_pro_esm_cache to enforce mode. Setting /etc/apparmor.d/unix-chkpwd to enforce mode. Setting /etc/apparmor.d/unprivileged_userns to enforce mode. Setting /etc/apparmor.d/userbindmount to enforce mode. Setting /etc/apparmor.d/usr.bin.man to enforce mode. Setting /etc/apparmor.d/usr.bin.tcpdump to enforce mode. Setting /etc/apparmor.d/usr.lib.snapd.snap-confine.real to enforce mode. Setting /etc/apparmor.d/usr.sbin.avahi-daemon to enforce mode. Setting /etc/apparmor.d/usr.sbin.chronyd to enforce mode. Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode. Setting /etc/apparmor.d/usr.sbin.identd to enforce mode. Setting /etc/apparmor.d/usr.sbin.mdnsd to enforce mode. Setting /etc/apparmor.d/usr.sbin.nmbd to enforce mode. Setting /etc/apparmor.d/usr.sbin.nscd to enforce mode. Setting /etc/apparmor.d/usr.sbin.rsyslogd to enforce mode. Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode. Setting /etc/apparmor.d/usr.sbin.smbldap-useradd to enforce mode. Setting /etc/apparmor.d/usr.sbin.traceroute to enforce mode. Setting /etc/apparmor.d/uwsgi-core to enforce mode. Setting /etc/apparmor.d/vdens to enforce mode. Setting /etc/apparmor.d/virtiofsd to enforce mode. Setting /etc/apparmor.d/vivaldi-bin to enforce mode. Setting /etc/apparmor.d/vpnns to enforce mode. Setting /etc/apparmor.d/wpcom to enforce mode. - ========== SRU TEMPLATE: ========== [ Impact ] - * Currently there is a bug in apparmor where executing the aa- + * Currently there is a bug in apparmor where executing the aa- enforce command causes the apparmor to crash with: aaui.UI_Info(_('Profile for %s not found, skipping') % output_name). Traceback (most recent call last): - File "/usr/sbin/aa-enforce", line 33, in <module> - tool.cmd_enforce() - File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 134, in cmd_enforce - for (program, prof_filename, output_name) in self.get_next_for_modechange(): - File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 97, in get_next_for_modechange - aaui.UI_Info(_('Profile for %s not found, skipping') % output_name) - ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + File "/usr/sbin/aa-enforce", line 33, in <module> + tool.cmd_enforce() + File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 134, in cmd_enforce + for (program, prof_filename, output_name) in self.get_next_for_modechange(): + File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 97, in get_next_for_modechange + aaui.UI_Info(_('Profile for %s not found, skipping') % output_name) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ TypeError: 'NoneType' object is not callable An unexpected error occurred! - * Users have been unable to roll out their intended CIS hardening + * Users have been unable to roll out their intended CIS hardening policies to production as they are blocked by this issue - * This bug was also reported upstream apparmor at + * This bug was also reported upstream apparmor at https://gitlab.com/apparmor/apparmor/-/issues/387 - * This bug report references that they were able to work around the + * This bug report references that they were able to work around the problem by manually applying the upstream fix at: - https://gitlab.com/apparmor/apparmor/-/merge_requests/1218. However, - this bug was reported internally by a customer who cannot manually apply - the fix to every affected machine. + https://gitlab.com/apparmor/apparmor/-/commit/6f9e841e74f04cac78da71fd2e8af3f973af94fc?merge_request_iid=1218. + However, this bug was reported internally by a customer who cannot + manually apply the fix to every affected machine. [Test Plan] - * Deploy a fresh Ubuntu Noble VM, install apparmor/apparmor-utils, + * Deploy a fresh Ubuntu Noble VM, install apparmor/apparmor-utils, and run: sudo aa-enforce /etc/apparmor.d/* This will produce the same traceback as seen the bug report - * Apply the patch, and run sudo aa-enforce /etc/apparmor.d/*, + * Apply the patch, and run sudo aa-enforce /etc/apparmor.d/*, observing that no errors were produced [What can go wrong] - * The bug was introduced essentially due to a refactorization of a + * The bug was introduced essentially due to a refactorization of a function which originally returned two values. One of which, the return value 'profile', was ambiguously either a profile name or a profile filename. The restructuring in the previous patch ensured the function always returned 3 values, each of which being explicitly defined to remove the ambiguous nature of the "profile" return value. It's possible that there will be subsequent changes similar to this one due to the original refactor. ** Description changed: ***** SRU TEMPLATE AT THE BOTTOM ***** Executing "aa-enforce /etc/apparmor.d/*" does not work on Ubuntu 24.04. There is already an upstream fix (https://gitlab.com/apparmor/apparmor/-/merge_requests/1218/diffs?commit_id=6f9e841e74f04cac78da71fd2e8af3f973af94fc). Suspect more will run into this issue now when the CIS Benchmark for Ubuntu 24.04 was released this week. Description: Ubuntu 24.04.1 LTS Release: 24.04 ----------------------------------- root@ubuntu2404:/etc/apparmor.d# dpkg -l |grep apparmor ii apparmor 4.0.1really4.0.0-beta3-0ubuntu0.1 amd64 user-space parser utility for AppArmor ii apparmor-profiles 4.0.1really4.0.0-beta3-0ubuntu0.1 all experimental profiles for AppArmor security policies ii apparmor-utils 4.0.1really4.0.0-beta3-0ubuntu0.1 all utilities for controlling AppArmor ii libapparmor1:amd64 4.0.1really4.0.0-beta3-0ubuntu0.1 amd64 changehat AppArmor library ii python3-apparmor 4.0.1really4.0.0-beta3-0ubuntu0.1 all AppArmor Python3 utility library ii python3-libapparmor 4.0.1really4.0.0-beta3-0ubuntu0.1 amd64 AppArmor library Python3 bindings ----------------------------------- ----------------------------------- root@ubuntu2404:/etc/apparmor.d# aa-enforce /etc/apparmor.d/* Setting /etc/apparmor.d/1password to enforce mode. Traceback (most recent call last): File "/usr/sbin/aa-enforce", line 33, in <module> tool.cmd_enforce() File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 134, in cmd_enforce for (program, prof_filename, output_name) in self.get_next_for_modechange(): File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 97, in get_next_for_modechange aaui.UI_Info(_('Profile for %s not found, skipping') % output_name) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ TypeError: 'NoneType' object is not callable An unexpected error occurred! For details, see /tmp/apparmor-bugreport-yi5o6kwm.txt Please consider reporting a bug at https://gitlab.com/apparmor/apparmor/-/issues and attach this file. ------------------------------------- Workaround is to edit /usr/lib/python3/dist-packages/apparmor/tools.py as the upstream fix suggests. - for (program, _, prof_filename) in self.get_next_to_profile(): + for (program, _ignored, prof_filename) in self.get_next_to_profile(): - for (program, _, prof_filename) in self.get_next_to_profile(): + for (program, _ignored, prof_filename) in self.get_next_to_profile(): Then it works: root@ubuntu2404:/etc/apparmor.d# vim /usr/lib/python3/dist-packages/apparmor/tools.py root@ubuntu2404:/etc/apparmor.d# aa-enforce /etc/apparmor.d/* Setting /etc/apparmor.d/1password to enforce mode. Profile for /etc/apparmor.d/abi not found, skipping Profile for /etc/apparmor.d/abstractions not found, skipping Profile for /etc/apparmor.d/apache2.d not found, skipping Setting /etc/apparmor.d/bin.ping to enforce mode. Setting /etc/apparmor.d/brave to enforce mode. Setting /etc/apparmor.d/buildah to enforce mode. Setting /etc/apparmor.d/busybox to enforce mode. Setting /etc/apparmor.d/cam to enforce mode. Setting /etc/apparmor.d/ch-checkns to enforce mode. Setting /etc/apparmor.d/chrome to enforce mode. Setting /etc/apparmor.d/ch-run to enforce mode. Setting /etc/apparmor.d/code to enforce mode. Setting /etc/apparmor.d/crun to enforce mode. Setting /etc/apparmor.d/devhelp to enforce mode. Profile for /etc/apparmor.d/disable not found, skipping Setting /etc/apparmor.d/Discord to enforce mode. Setting /etc/apparmor.d/element-desktop to enforce mode. Setting /etc/apparmor.d/epiphany to enforce mode. Setting /etc/apparmor.d/evolution to enforce mode. Setting /etc/apparmor.d/firefox to enforce mode. Setting /etc/apparmor.d/flatpak to enforce mode. Profile for /etc/apparmor.d/force-complain not found, skipping Setting /etc/apparmor.d/geary to enforce mode. Setting /etc/apparmor.d/github-desktop to enforce mode. Setting /etc/apparmor.d/goldendict to enforce mode. Setting /etc/apparmor.d/ipa_verify to enforce mode. Setting /etc/apparmor.d/kchmviewer to enforce mode. Setting /etc/apparmor.d/keybase to enforce mode. Setting /etc/apparmor.d/lc-compliance to enforce mode. Setting /etc/apparmor.d/libcamerify to enforce mode. Setting /etc/apparmor.d/linux-sandbox to enforce mode. Profile for /etc/apparmor.d/local not found, skipping Setting /etc/apparmor.d/loupe to enforce mode. Setting /etc/apparmor.d/lsb_release to enforce mode. Setting /etc/apparmor.d/lxc-attach to enforce mode. Setting /etc/apparmor.d/lxc-create to enforce mode. Setting /etc/apparmor.d/lxc-destroy to enforce mode. Setting /etc/apparmor.d/lxc-execute to enforce mode. Setting /etc/apparmor.d/lxc-stop to enforce mode. Setting /etc/apparmor.d/lxc-unshare to enforce mode. Setting /etc/apparmor.d/lxc-usernsexec to enforce mode. Setting /etc/apparmor.d/mmdebstrap to enforce mode. Setting /etc/apparmor.d/MongoDB_Compass to enforce mode. Setting /etc/apparmor.d/msedge to enforce mode. Setting /etc/apparmor.d/nautilus to enforce mode. Setting /etc/apparmor.d/notepadqq to enforce mode. Setting /etc/apparmor.d/nvidia_modprobe to enforce mode. Setting /etc/apparmor.d/obsidian to enforce mode. Setting /etc/apparmor.d/opam to enforce mode. Setting /etc/apparmor.d/opera to enforce mode. Setting /etc/apparmor.d/pageedit to enforce mode. Setting /etc/apparmor.d/php-fpm to enforce mode. Setting /etc/apparmor.d/plasmashell to enforce mode. Setting /etc/apparmor.d/podman to enforce mode. Setting /etc/apparmor.d/polypane to enforce mode. Setting /etc/apparmor.d/privacybrowser to enforce mode. Setting /etc/apparmor.d/qcam to enforce mode. Setting /etc/apparmor.d/qmapshack to enforce mode. Setting /etc/apparmor.d/QtWebEngineProcess to enforce mode. Setting /etc/apparmor.d/qutebrowser to enforce mode. Setting /etc/apparmor.d/rootlesskit to enforce mode. Setting /etc/apparmor.d/rpm to enforce mode. Setting /etc/apparmor.d/rssguard to enforce mode. Profile for /etc/apparmor.d/rsyslog.d not found, skipping Setting /etc/apparmor.d/runc to enforce mode. Setting /etc/apparmor.d/samba-bgqd to enforce mode. Setting /etc/apparmor.d/samba-dcerpcd to enforce mode. Setting /etc/apparmor.d/samba-rpcd to enforce mode. Setting /etc/apparmor.d/samba-rpcd-classic to enforce mode. Setting /etc/apparmor.d/samba-rpcd-spoolss to enforce mode. Setting /etc/apparmor.d/sbin.klogd to enforce mode. Setting /etc/apparmor.d/sbin.syslogd to enforce mode. Setting /etc/apparmor.d/sbin.syslog-ng to enforce mode. Setting /etc/apparmor.d/sbuild to enforce mode. Setting /etc/apparmor.d/sbuild-abort to enforce mode. Setting /etc/apparmor.d/sbuild-adduser to enforce mode. Setting /etc/apparmor.d/sbuild-apt to enforce mode. Setting /etc/apparmor.d/sbuild-checkpackages to enforce mode. Setting /etc/apparmor.d/sbuild-clean to enforce mode. Setting /etc/apparmor.d/sbuild-createchroot to enforce mode. Setting /etc/apparmor.d/sbuild-destroychroot to enforce mode. Setting /etc/apparmor.d/sbuild-distupgrade to enforce mode. Setting /etc/apparmor.d/sbuild-hold to enforce mode. Setting /etc/apparmor.d/sbuild-shell to enforce mode. Setting /etc/apparmor.d/sbuild-unhold to enforce mode. Setting /etc/apparmor.d/sbuild-update to enforce mode. Setting /etc/apparmor.d/sbuild-upgrade to enforce mode. Setting /etc/apparmor.d/scide to enforce mode. Setting /etc/apparmor.d/signal-desktop to enforce mode. Setting /etc/apparmor.d/slack to enforce mode. Setting /etc/apparmor.d/slirp4netns to enforce mode. Setting /etc/apparmor.d/steam to enforce mode. Setting /etc/apparmor.d/stress-ng to enforce mode. Setting /etc/apparmor.d/surfshark to enforce mode. Setting /etc/apparmor.d/systemd-coredump to enforce mode. Setting /etc/apparmor.d/thunderbird to enforce mode. Setting /etc/apparmor.d/toybox to enforce mode. Setting /etc/apparmor.d/trinity to enforce mode. Profile for /etc/apparmor.d/tunables not found, skipping Setting /etc/apparmor.d/tup to enforce mode. Setting /etc/apparmor.d/tuxedo-control-center to enforce mode. Setting /etc/apparmor.d/ubuntu_pro_apt_news to enforce mode. Setting /etc/apparmor.d/ubuntu_pro_esm_cache to enforce mode. Setting /etc/apparmor.d/unix-chkpwd to enforce mode. Setting /etc/apparmor.d/unprivileged_userns to enforce mode. Setting /etc/apparmor.d/userbindmount to enforce mode. Setting /etc/apparmor.d/usr.bin.man to enforce mode. Setting /etc/apparmor.d/usr.bin.tcpdump to enforce mode. Setting /etc/apparmor.d/usr.lib.snapd.snap-confine.real to enforce mode. Setting /etc/apparmor.d/usr.sbin.avahi-daemon to enforce mode. Setting /etc/apparmor.d/usr.sbin.chronyd to enforce mode. Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode. Setting /etc/apparmor.d/usr.sbin.identd to enforce mode. Setting /etc/apparmor.d/usr.sbin.mdnsd to enforce mode. Setting /etc/apparmor.d/usr.sbin.nmbd to enforce mode. Setting /etc/apparmor.d/usr.sbin.nscd to enforce mode. Setting /etc/apparmor.d/usr.sbin.rsyslogd to enforce mode. Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode. Setting /etc/apparmor.d/usr.sbin.smbldap-useradd to enforce mode. Setting /etc/apparmor.d/usr.sbin.traceroute to enforce mode. Setting /etc/apparmor.d/uwsgi-core to enforce mode. Setting /etc/apparmor.d/vdens to enforce mode. Setting /etc/apparmor.d/virtiofsd to enforce mode. Setting /etc/apparmor.d/vivaldi-bin to enforce mode. Setting /etc/apparmor.d/vpnns to enforce mode. Setting /etc/apparmor.d/wpcom to enforce mode. ========== SRU TEMPLATE: ========== [ Impact ] * Currently there is a bug in apparmor where executing the aa- enforce command causes the apparmor to crash with: aaui.UI_Info(_('Profile for %s not found, skipping') % output_name). Traceback (most recent call last): File "/usr/sbin/aa-enforce", line 33, in <module> tool.cmd_enforce() File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 134, in cmd_enforce for (program, prof_filename, output_name) in self.get_next_for_modechange(): File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 97, in get_next_for_modechange aaui.UI_Info(_('Profile for %s not found, skipping') % output_name) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ TypeError: 'NoneType' object is not callable An unexpected error occurred! * Users have been unable to roll out their intended CIS hardening policies to production as they are blocked by this issue * This bug was also reported upstream apparmor at https://gitlab.com/apparmor/apparmor/-/issues/387 * This bug report references that they were able to work around the problem by manually applying the upstream fix at: - https://gitlab.com/apparmor/apparmor/-/commit/6f9e841e74f04cac78da71fd2e8af3f973af94fc?merge_request_iid=1218. + https://gitlab.com/apparmor/apparmor/-/commit/6f9e841e74f04cac78da71fd2e8af3f973af94fc. However, this bug was reported internally by a customer who cannot manually apply the fix to every affected machine. [Test Plan] * Deploy a fresh Ubuntu Noble VM, install apparmor/apparmor-utils, and run: sudo aa-enforce /etc/apparmor.d/* This will produce the same traceback as seen the bug report * Apply the patch, and run sudo aa-enforce /etc/apparmor.d/*, observing that no errors were produced [What can go wrong] * The bug was introduced essentially due to a refactorization of a function which originally returned two values. One of which, the return value 'profile', was ambiguously either a profile name or a profile filename. The restructuring in the previous patch ensured the function always returned 3 values, each of which being explicitly defined to remove the ambiguous nature of the "profile" return value. It's possible that there will be subsequent changes similar to this one due to the original refactor. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2078467 Title: [SRU] App armor crashes on aa-enforce due to "Profile not found" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2078467/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
