[apparmor] Apparmor parser error ... syntax error, unexpected TOK_EQUALS, expecting TOK_MODE

Tue Sep 22 08:31:44 UTC 2015

On 09/22/2015 01:13 AM, Robert Munteanu wrote:
> On Tue, Sep 22, 2015 at 11:09 AM, John Johansen
> <john.johansen at canonical.com> wrote:
>> << snip >>
>>
>>>>>> Sure, attached. I find it strange that the output ends with a
>>>>>>
>>>>>> @{HOME}=
>>>>>>
>>>>>> line, which would explain the error. However, I don't have such a line
>>>>>> in my /etc/apparmor.d directory
>>>>>>
>>>>> So this is an artifact of how the parser is processing variables.
>>>>>
>>>>> The defines are read and partially processed during the preprocessing phase of
>>>>> the parse and it is choking on @{HOME}= being assigned inside of the profile
>>>>> scope (currently vars can only be defined in the header).
>>>>>
>>>>> What you need to look for is a file in <apache2.d> that is including
>>>>> <tunables/global>
>>>>
>>>> That's right , there's a apache2.d/wordpress file which has that include
>>>>
>>>> Removing it makes the error go away, which is good. On the other hand,
>>>> the wordpress file, which contains
>>>>
>>>>  ^wordpress {
>>>>    #include <abstractions/base>
>>>>    #include <abstractions/nameservice>
>>>>    #include <abstractions/apache2-common>
>>>>    #include <abstractions/php5>
>>>>    /srv/www/wordpress/              r,
>>>>    /srv/www/wordpress/**            r,
>>>>    /srv/www/wordpress/wp-content/** w,
>>>>    /var/log/apache2/**              w,
>>>>    /srv/www/mod_pagespeed/cache/**  w,
>>>>    /etc/wordpress/wp-config.php     r,
>>>>    @{PROC}/@{pid}/statm             r,
>>>>  }
>>>>
>>>> makes apparmor_parser complain:
>>>>
>>>> $ apparmor_parser -r wordpress
>>>> Found reference to variable PROC, but is never declared
>>>>
>>
>> strange, @{PROC} is definitely defined earlier,
>>
>> can you provide me an updated output for
>>   apparmor_parser -p /etc/apparmor.d/usr.sbin.httpd2-prefork
> 
> Sure, it's attached.
> 
> The question is though - should I call apparmor_parser on
> apache.d/wordpress ( which is a fragment ) or is it enough to call it
> on usr.sbin.httpd2-prefork ?
> 

ah I missed that! So you should only need to call it on
usr.sbin.httpd2-prefork, the fragments do not contain enough information
to be properly parsed and inserted directly.  You will end up with errors
like the one above.

Looking at the dump you attached the ^wordpress child profile is in it
and would be loaded as part of usr.sbin.httpd2-prefork

If you want to be able to call/load the children profiles separate from
the usr.sbin.httpd2-prefork profile I can walk you through the changes
that would be needed, but I will spare you the details unless you ask
for it.