[apparmor] [16.04 LTS]: missing /proc/$pid/{auxv, status} files (glibc's *printf protections) in base abstractions?

daniel curtis sidetripping at gmail.com
Tue Apr 17 19:00:17 UTC 2018 

Hello Mr Johansen.

Thank You very much for an answer. Unfortunately it seems, that
mentioned rule can not be added, by hand, to the 'abstractions/base'
file, because there are some problems with apparmor_parser(8) command.
I mean '/proc/$pid/{auxv, status}' rule etc. At first, I did not
notice anything, but after some time, I had to do some work related to
AppArmor. So, I decided to check AppArmor status and a result confused
me, because there was something very strange. It looked this way:

[~] sudo aa-status / apparmor_status
apparmor module is loaded.
6 profiles are loaded.
6 profiles are in enforce mode.
   /usr/bin/ubuntu-core-launcher
   /usr/lib/lightdm/lightdm-guest-session
   /usr/lib/lightdm/lightdm-guest-session//chromium
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/lib/snapd/snap-confine//snap_update_ns
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

6 profiles are in enforce mode? It's impossible, because I have many,
many more profiles. So, I started to check AppArmor service status via
systemctl(1) command and so on. And there was various messages about
processing regexs, unit entered failed state etc. For example:

✗ apparmor[837]: bad regular expression ERROR processing regexs for
profile /usr/sbin/userdel. Failed to load.
✗ apparmor[837]: /sbin/apparmor_parser: Regex grouping error: Invalid
number of items between {}
✗ apparmor[837]: /sbin/apparmor_parser: Regex grouping error: Invalid item };
✗ apparmor[837]: /sbin/apparmor_parser: Unable to parse input line
"/proc/{[1-9],[1-9][0-9],[1-9][0-9][0-9],[1--4][0-9][0-9][0-9][0-9][0-9][0-9]}/maps,auxv,status}"
failed [1]
✗ apparmor[837]: bad regular expression ERROR processing regexs for
profile notify-reboot-required. Failed to load.
✗ apparmor[837]:    ...fail!
✗ systemd[1]: apparmor.service: Control process exited, code=exited status=123
✗ systemd[1]: Failed to start LSB: AppArmor initialization.
✗ systemd[1]: apparmor.service: Unit entered failed state.
✗ systemd[1]: apparmor.service: Failed with result 'exit-code'.

However, after removing files from '{auxv,status}' from "glibc's
*printf protections read the maps file" rule, and system restart,
everything started to work again. As always. AppArmor status shows all
loaded profiles and 'systemctl status' command result was okay also
etc.

So, it looks like adding a mentioned rule, by hand, to the
'abstractions/base' file is causing such an issues. Which is pretty
strange, because I already added a few additional and needed rules -
for example - to the 'abstractions/nvidia' file etc. By the way,
'/var/log/syslog' file contains many entries such as (that's only a
few examples):

✗ apparmor[7595]: apparmor[837]: bad regular expression ERROR
processing regexs for profile /usr/bin/pidgin. Failed to load.

And many, many more. I will try to do some tests, and I will check a
few more options to add this rule. Maybe something will work? Anyway,
there are a couple of similar issues, for example, on Launchpad. What
do You think about this? Maybe it should be done (I mean add
'{auxv,status}' files to the 'abstractions/base' file) via AppArmor
update?

I apologize, but I was in a hurry to write this message.

Thanks, best regards.
___________________
[1] Maybe there should be something like: "row analysis
"/proc/{[1-9],[1-9]...}/maps,auxv,status}" failed."

More information about the AppArmor mailing list