AppArmor

aa-status crashes with a backtrace if prevented from reading the profile list

Bug #1383703 reported by Steve Beattie
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
AppArmor
Confirmed
Low
Unassigned

Bug Description

If aa-status is run within an apparmor confined environment (e.g. within an lxc container), it throws a python traceback if apparmor prevents it from reading the profile list:

 Traceback (most recent call last):
   File "/usr/sbin/aa-status", line 194, in <module>
     commands[cmd]()
   File "/usr/sbin/aa-status", line 17, in cmd_enabled
     if get_profiles() == {}:
   File "/usr/sbin/aa-status", line 92, in get_profiles
     for p in open(apparmor_profiles).readlines():
 PermissionError: [Errno 13] Permission denied: '/sys/kernel/security/apparmor/profiles'

Tags: aa-tools
Steve Beattie (sbeattie)
Changed in apparmor:
importance: Undecided → Low
Simon Déziel (sdeziel)
Changed in apparmor:
status: New → Confirmed
Revision history for this message
Simon Déziel (sdeziel) wrote :

This is because the default container AA profile prevents reading under /sys/kernel/security/**. Changing the profile to allow reading makes aa-status work but it shows the list of profiles from the host.

This makes me wonder why https://wiki.ubuntu.com/LxcSecurity has this entry:

  * apparmor policy stacking allows containers to use apparmor themselves even while
     they apparmor-confined by the host

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Simon, those were aspirational statements for the future -- sadly, profile stacking isn't here yet, though it's closer than ever before. Once it does arrive, it will let us do that. :)

Revision history for this message
Simon Déziel (sdeziel) wrote : Re: [Bug 1383703] Re: aa-status crashes with a backtrace if prevented from reading the profile list

On 10/21/2014 10:58 AM, Seth Arnold wrote:
> Simon, those were aspirational statements for the future -- sadly,
> profile stacking isn't here yet, though it's closer than ever before.
> Once it does arrive, it will let us do that. :)

It's only now that I notice the "considerations" for 13.04. Thanks for
the clarification. I am glad to know this is still on the radar and I
can't wait for it to land!

Christian Boltz (cboltz)
tags: added: aa-tools
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.