[apparmor] apparmor_parser
John Johansen
john.johansen at canonical.com
Tue Jan 11 00:51:48 UTC 2011
On 01/10/2011 04:24 PM, Christian Boltz wrote:
> Hello,
>
> I'm currently running openSUSE Factory + AppArmor 2.5.1 from the
> security:apparmor repo on my laptop.
>
> I noticed that apparmor_parser segfaults on some profiles in "rcapparmor
> reload" - in my case usr.sbin.nscd, usr.share.git-web.gitweb.cgi and a
> profile for a script in my home directory (that's 3 of 27 profiles).
>
> If I call "apparmor_parser usr.share.git-web.gitweb.cgi", I can
> reproduce the segfault. It must be early in the code because I don't get
> any additional output with -d.
>
> The only (hopefully) useful thing I can offer for now is a strace
> (attached).
>
>
Christian can you attach the profile dumped from running
apparmor_parser -p <profile>
this will pull in all the includes, variable defines etc, encapsulating
it all into a single profile file that is easier for us to debug against.
> # cat usr.share.git-web.gitweb.cgi
> # Last Modified: Fri Dec 19 11:03:49 2008
> #include <tunables/global>
>
> /usr/share/gitweb/gitweb.cgi {
> #include <abstractions/base>
> #include <abstractions/bash>
> #include <abstractions/nameservice>
> #include <abstractions/perl>
>
> /bin/bash rix,
> /dev/tty rw,
> /etc/gitweb.conf r,
> /etc/mime.types r,
> /proc/meminfo r,
> /proc/sys/kernel/ngroups_max r,
> /srv/git/ r,
> /srv/git/** r,
> /usr/bin/perl ix,
> /usr/lib/git/git rix,
> /usr/bin/git-receive-pack rix,
> /usr/share/gitweb/* r,
> /usr/share/gitweb/static/* r,
> }
>
> My abstractions/* are unchanged AFAIK, and in tunables/global I've added
> alias /var -> /home/sys-var,
> alias /tmp -> /home/sys-tmp,
> (removing those aliases doesn't change anything)
>
>
> Regards,
>
> Christian Boltz
>
More information about the AppArmor
mailing list