Am 30.04.2018 um 01:33 schrieb Christian Boltz:
Hello,
Am Sonntag, 29. April 2018, 19:36:08 CEST schrieb Frank Krüger:
Given Tumbleweed 20180424 with apparmor 2.13 the command "aa-logprof" (as root)bhangs, with the error messages
File "/usr/sbin/aa-logprof", line 54, in <module> apparmor.loadincludes() File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 3569, in loadincludes load_include(fi) File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 3532, in load_include incdata = parse_profile_data(data, incfile, True) File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 2509, in parse_profile_data elif not RE_RULE_HAS_COMMA.search(line):
Is this a known issue?
No, that sounds new to me. (Also, aa-logprof shouldn't run for several minutes, maybe except if you have a really big logfile > 100 MB, and for sure it shouldn't spend minutes in load_include.)
That said - I was able to reproduce the problem, and wonder why it didn't hit me before.
The biggest change in 2.13 [1] is support for shipping precompiled cache and having multiple cache directories. This also comes with a new cache directory layout, including a new symlink /etc/apparmor.d/cache.d pointing to the real cache directory.
Exactly that symlink causes the problem you see, because aa-logprof tries to parse all (binary) files in /etc/apparmor.d/cache.d/ :-(
@Patrick: If you are unable to reproduce this bug, your profiles probably match exactly the upstream profiles, so /etc/apparmor.d/cache.d/ (symlink to /var/cache/apparmor/) is empty and only the precompiled cache in /usr/share/apparmor/cache/ gets used. An additional condition is that you don't have profiles installed by other packages (which don't include precompiled cache yet).
That said - I can offer a selection of hotfixes. Pick one ;-)
a) apply the following patch to /usr/lib/python3.6/site-packages/apparmor/aa.py
--- /usr/lib/python3.6/site-packages/apparmor/aa.py_ORIG +++ /usr/lib/python3.6/site-packages/apparmor/aa.py @@ -2048,7 +2048,7 @@ def is_skippable_file(path): return False
def is_skippable_dir(path): - if re.search('^(.*/)?(disable|cache|force-complain|lxc|\.git)/?$', path): + if re.search('^(.*/)?(disable|cache|cache\.d|force-complain|lxc|\.git)/?$', path): return True return False
to exclude the "cache.d" symlink/directory from parsing.
- or -
b) grab the latest python3-apparmor package from security:apparmor (building right now) which includes the patch from a)
Thank you for the speedy fix. Using python3-apparmor from the security apparmor repo, it works as expected: time aa-logprof Reading log entries from /var/log/audit/audit.log. Updating AppArmor profiles in /etc/apparmor.d. real 0m1,533s user 0m1,449s sys 0m0,068s Regards, Frank -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org