[apparmor] WTF changed in latest aa-enforce?!
Christian Boltz
apparmor at cboltz.de
Wed Aug 13 11:54:30 UTC 2014
Hello,
Am Mittwoch, 13. August 2014 schrieb Aaron Lewis:
> I just upgraded to Ubuntu 14.04 and every profile I write is invalid
> now, WTF? Did you guys complete rewritten all script with python?
> That's really FUNNY
>
> apparmor.common.AppArmorException: "Syntax Error: Missing '}' .
> Reached end of file /etc/apparmor.d/usr.sbin.nginx while inside
> profile /usr/sbin/nginx"
The error message is misleading - you have a syntax error in the line
above the }
> /usr/sbin/nginx {
[...]
> /var/lib/nginx/fastcgi/{**,} mrw,
> /var/log/nginx/{*,} w
> }
Note the line
/var/log/nginx/{*,} w
The comma at the end is missing, it should be
/var/log/nginx/{*,} w,
You could also write the line as
/var/log/nginx/{*,}
w
,
(yes, that's also valid syntax - AppArmor doesn't care if the whitespace
consists of spaces, tabs or newlines)
This should also explain why you got the misleading error message -
aa-enforce thinks the } belongs to the previous line (because the
rule was not finished with a comma), and then hits EOF in the middle of
a rule.
Now the interesting question is: did the AppArmor tools break your
profile (we'll happily fix them), or did you accidently break it by
manual editing? (In this case, you'll have to give yourself a rap on the
knuckles ;-)
BTW: vi with AppArmor syntax highlighting was very helpful to find the
syntax error ;-)
Regards,
Christian Boltz
--
"Der wahrscheinlich ärgerlichste Aspekt eines Computerprogrammes
ist die Art und Weise, in der es auf Ihre Fehler reagiert"
[L. Lamport, LaTeX-Handbuch]
More information about the AppArmor
mailing list