[apparmor] Apparmor parser error ... syntax error, unexpected TOK_EQUALS, expecting TOK_MODE

Robert Munteanu robert.munteanu at gmail.com
Tue Sep 22 08:03:55 UTC 2015 

Sorry, forgot to include the list

On Tue, Sep 22, 2015 at 11:03 AM, Robert Munteanu
<robert.munteanu at gmail.com> wrote:
> On Tue, Sep 22, 2015 at 11:00 AM, John Johansen
> <john.johansen at canonical.com> wrote:
>> On 09/22/2015 12:19 AM, Robert Munteanu wrote:
>>> On Tue, Sep 22, 2015 at 10:02 AM, John Johansen
>>> <john.johansen at canonical.com> wrote:
>>>> On 09/21/2015 11:35 PM, Robert Munteanu wrote:
>>>>> Hi John,
>>>>>
>>>>> On Tue, Sep 22, 2015 at 12:11 AM, John Johansen
>>>>> <john.johansen at canonical.com> wrote:
>>>>>> On 09/21/2015 07:33 AM, Robert Munteanu wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I'm running apparmor 2.9.1, Kernel 3.16.7-24-default on openSUSE 13.2
>>>>>>> x86_64. During my attempts to configure and enable apparmor I hit a
>>>>>>> roadblock which I can't get out of. I created a
>>>>>>> usr.sbin.httpd2-prefork profile to match the apache installation from
>>>>>>> openSUSE. ( see diff at the end, I can find nothing relevant ).
>>>>>>>
>>>>>>> Trying to put the module into enforce mode leads to an error parsing
>>>>>>> /etc/apparmor.d/tunables/home:
>>>>>>>
>>>>>>> # aa-enforce usr.sbin.httpd2-prefork
>>>>>>> Setting /etc/apparmor.d/usr.sbin.httpd2-prefork to enforce mode.
>>>>>>> Traceback (most recent call last):
>>>>>>>  File "/usr/sbin/aa-enforce", line 30, in <module>
>>>>>>>    tool.cmd_enforce()
>>>>>>>  File "/usr/lib/python3.4/site-packages/apparmor/tools.py", line 166,
>>>>>>> in cmd_enforce
>>>>>>>    raise apparmor.AppArmorException(cmd_info[1])
>>>>>>> apparmor.common.AppArmorException: 'AppArmor parser error for
>>>>>>> /etc/apparmor.d/usr.sbin.httpd2-prefork in
>>>>>>> /etc/apparmor.d/tunables/home at line 16: syntax error, unexpected
>>>>>>> TOK_EQUALS, expecting TOK_MODE\n'
>>>>>>>
>>>>>>> The tunables/home file is unchanged.
>>>>>>>
>>>>>>> This looks a lot like
>>>>>>> https://bugs.launchpad.net/ubuntu/+source/mysql-5.6/+bug/1487536 , but
>>>>>>> I don't have an ubuntu machine to use apport for adding more
>>>>>>> information.
>>>>>>>
>>>>>>> How can I debug/fix this issue?
>>>>>>>
>>>>>> Hi Robert I am not sure what is going on from the provided info. However
>>>>>> we can manually work around this if needed.
>>>>>>
>>>>>> if you do
>>>>>>   sudo apparmor_parser -r usr.sbin.httpd2-prefork
>>>>>>
>>>>>> does it succeed?
>>>>>
>>>>> No, same error:
>>>>>
>>>>> # apparmor_parser -r usr.sbin.httpd2-prefork
>>>>> AppArmor parser error for usr.sbin.httpd2-prefork in
>>>>> /etc/apparmor.d/tunables/home at line 16: syntax error, unexpected
>>>>> TOK_EQUALS, expecting TOK_MODE
>>>>>
>>>>>>
>>>>>> To manually put the profile in enforce mode, you need to make sure it is
>>>>>> not tagged as being in complain mode.  This can be done by setting a
>>>>>> symlink in /etc/apparmor.d/force-complain or by directly setting the
>>>>>> flag in the profile file. Eg.
>>>>>>
>>>>>> /etc/apparmor.d/usr.sbin.httpd2-prefork
>>>>>
>>>>> I guess I would break more stuff my manually putting the profile in
>>>>> enforce mode if it's not parseable ...
>>>>>
>>>> can you attach the output of
>>>>   apparmor_parser -p /etc/apparmor.d/usr.sbin.httpd2-prefork
>>>>
>>>> that will give us a flattened dump of the profile with all its includes expanded
>>>
>>> Sure, attached. I find it strange that the output ends with a
>>>
>>> @{HOME}=
>>>
>>> line, which would explain the error. However, I don't have such a line
>>> in my /etc/apparmor.d directory
>>>
>> So this is an artifact of how the parser is processing variables.
>>
>> The defines are read and partially processed during the preprocessing phase of
>> the parse and it is choking on @{HOME}= being assigned inside of the profile
>> scope (currently vars can only be defined in the header).
>>
>> What you need to look for is a file in <apache2.d> that is including
>> <tunables/global>
>
> That's right , there's a apache2.d/wordpress file which has that include
>
> Removing it makes the error go away, which is good. On the other hand,
> the wordpress file, which contains
>
>  ^wordpress {
>    #include <abstractions/base>
>    #include <abstractions/nameservice>
>    #include <abstractions/apache2-common>
>    #include <abstractions/php5>
>    /srv/www/wordpress/              r,
>    /srv/www/wordpress/**            r,
>    /srv/www/wordpress/wp-content/** w,
>    /var/log/apache2/**              w,
>    /srv/www/mod_pagespeed/cache/**  w,
>    /etc/wordpress/wp-config.php     r,
>    @{PROC}/@{pid}/statm             r,
>  }
>
> makes apparmor_parser complain:
>
> $ apparmor_parser -r wordpress
> Found reference to variable PROC, but is never declared
>
> Robert
> --
> http://robert.muntea.nu/



-- 
http://robert.muntea.nu/

More information about the AppArmor mailing list