[apparmor] Syntax Error: Unknown line found in file /etc/apparmor.d/usr.lib.snapd.snap-confine.real.

Wed Nov 22 19:32:39 UTC 2017

Hello

Today, I've noticed a strange issue with apparmor_parser(8) utility. I've
created manually a two files; lets say: 'usr.bin.1' and 'usr.lib.2' and
paste required AppArmor rules. Next, I wanted to put 'usr.bin.1' profile
into a "complain" mode via aa-complain(8) but there is an error related to
'/etc/apparmor.d/usr.lib.snapd.snap-confine.real' file and line 15.

✗ ERROR: Syntax Error: Unknown line found in file
/etc/apparmor.d/usr.lib.snapd.snap-confine.real line 15:
include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,

Here is an exception of a mentioned file (I've only paste what is related
and is shown in an error message. I mean line 15. and "include" etc.)

_____________

/usr/lib/snapd/snap-confine (attach_disconnected) {

# Include any additional files that snapd chose to generate.
# - for $HOME on NFS
# - for $HOME on encrypted media
#
# Those are discussed on (...)
include "/var/lib/snapd/apparmor/snap-confine.d"

# We run privileged, so be fanatical about (...)
/etc/ld.so.cache r,
(...)
_____________

Here's how the beginning of the "usr.lib.snapd.snap-confine.real" profile
looks like. The strange thing is, that I cannot change the enforcement mode
for any profile! For example Firefox:

[~]$ sudo aa-complain /etc/apparmor.d/usr.bin.firefox

✗ ERROR: Syntax Error: Unknown line found in file
/etc/apparmor.d/usr.lib.snapd.snap-confine.real line 15:
include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,

aa-enforce(8) command produces the same error as above. As we can see, the
error is the same. So it seems, that I'm unable to work with AppArmor
profiles! According to the APT log messages, snapd has been updated on
2017-11-16 (2.28.5, 2.29.3)

What do you think about this one? What can I do in such situation? Should I
edit "/etc/apparmor.d/usr.lib.snapd.snap-confine.real" file and remove or
use "#" to comment "include "/var/lib/snapd/apparmor/snap-confine.d"? There
is nothing in a log files. NOTE: apparmor_parser(8) used with '-r' option,
works OK.

Summarizing: both, aa-enforce(8) and aa-complain(8) utilities do not work,
because of an error and I'm unable to manage profiles etc. (For now, I can
not create profiles, put in an enforcement mode and so on.)

By the way; I have no idea when it started to happen. I've noticed it
today, during creating profile. Is this a bug? I did not remove or add
anything to the "/etc/apparmor.d/usr.lib.snapd.snap-confine.real" profile.

snapd ver.: 2.29.3
Release: 16.04.3 LTS

Thanks, best regards.
.
.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20171122/c1a94dce/attachment.html>