[Bug 2090887] Re: apport hook source_apparmor.py shows only one word per line

Alex Murray 2090887 at bugs.launchpad.net
Thu Dec 5 04:58:05 UTC 2024 

And if we add the same snippet to source_apparmor.py so we can run it
directly then we also don't reproduce this:

root at sec-noble-amd64:/usr/share/apport/package-hooks# tail
source_apparmor.py  -n6

if __name__ == '__main__':
    report = {}
    add_info(report, None)
    for key in report:
        print('%s: %s' % (key, report[key].split('\n', 1)[0]))
root at sec-noble-amd64:/usr/share/apport/package-hooks# python3 source_apparmor.py 
/usr/share/apport/package-hooks/source_apparmor.py:61: SyntaxWarning: invalid escape sequence '\('
  sec_re = re.compile('audit\(|apparmor|selinux|security', re.IGNORECASE)
ProcVersionSignature: Ubuntu 6.8.0-47.47-generic 6.8.12
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-6.8.0-47-generic root=UUID=15a6fbdd-2b57-4890-803d-c6a103a6a00f ro console=tty1 console=ttyS0
KernLog: 2024-12-05T03:41:19.462683+00:00 sec-noble-amd64 kernel: audit: type=1400 audit(1733370079.461:132): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/snapd/snap-confine" pid=923 comm="apparmor_parser"
Syslog: 
ApparmorPackages: apparmor 4.0.1really4.0.1-0ubuntu0.24.04.3
ApparmorStatusOutput: apparmor module is loaded.
PstreeP: systemd(1)-+-ModemManager(7969)-+-{ModemManager}(7973)


But actually it is not a bug in apparmor - it is in apport itself - it has its own version of the AppArmor log capturing bits in hookutils.py in attach_mac_events() - the same regex is used there BUT it is used with re.findall() which only returns the matching part of the regex - so these regex patterns need to be updated to capture the rest of the line - something like:

    mac_regex = r"^audit\(.*|apparmor.*|selinux.*|security.*"
    mac_re = re.compile(mac_regex, re.IGNORECASE)
    aa_regex = 'apparmor="DENIED".+?profile=([^ ]+?)[ ].*'

Should hopefully dtrt.

So I think this is bug is actually in the mysql-8.0 not apparmor (but am
not sure exactly how it is occurring as I am not that familiar with the
apport hook mechanism etc)

** Package changed: apparmor (Ubuntu) => apport (Ubuntu)

** Summary changed:

- apport hook source_apparmor.py shows only one word per line
+ apport hookutils.py only captures first word per line for KernLog

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/2090887

Title:
  apport hookutils.py only captures first word per line for KernLog

Status in apport package in Ubuntu:
  New

Bug description:
  As can be seen in some bugs collecting KernLog.txt, such as
  https://launchpadlibrarian.net/755520804/KernLog.txt from LP:
  #2085412, or https://launchpadlibrarian.net/748024373/KernLog.txt from
  LP: #2079912, only one word of each line is being shown:

  Security
  AppArmor
  AppArmor
  audit(
  AppArmor
  AppArmor
  AppArmor
  AppArmor
  security
  selinux
  security
  security
  security
  security
  security
  apparmor

  I haven't reproduced this behavior myself locally, so wonder if the
  reporters' kern.log files are odd, but I've seen this in several bug
  reports.  I thought it might be the stringify() routine but running
  the apport hook manually on my own system, it works fine.  Looking
  through the source_apparmor.py file I notice the words are ones
  matching the regular expression:

      sec_re = re.compile('audit\(|apparmor|selinux|security', re.IGNORECASE)
      report['KernLog'] = recent_kernlog(sec_re)

  That can't be a coincidence.  However, I don't see how the code would
  produce this behavior, so no idea how to fix it.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/2090887/+subscriptions

More information about the foundations-bugs mailing list