[apparmor] AA-logprof error
Jacek
wampir990 at gmail.com
Mon Oct 28 03:54:31 UTC 2019
AA-logprof is not compatible with the apparmor-kernel API, which causes
errors with some log messages.
error
Python 3.6.9: /usr/bin/python3.6
Mon Oct 28 04:46:06 2019
A problem occurred in a Python script. Here is the sequence of
function calls leading up to the error, in the order they occurred.
/usr/lib/python-exec/python3.6/aa-logprof in <module>()
48
49 if profiledir:
50 apparmor.profile_dir = apparmor.get_full_path(profiledir)
51 if not os.path.isdir(apparmor.profile_dir):
52 raise apparmor.AppArmorException("%s is not a
directory."%profiledir)
53
54 apparmor.loadincludes()
55
56 apparmor.do_logprof_pass(logmark)
57
apparmor = <module 'apparmor.aa' from
'/usr/lib64/python3.6/site-packages/apparmor/aa.py'>
apparmor.do_logprof_pass = <function do_logprof_pass>
logmark = ''
/usr/lib64/python3.6/site-packages/apparmor/aa.py in
do_logprof_pass(logmark='', passno=0, log_pid={1268: [[1268, 'firefox',
'firefox', 'HINT', 'REJECTING', {'r'}, '/Bazy/tempfilm/', '']], 2716:
[[2716, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/dev/video0', ''], [2716, 'firefox-bin', 'firefox-bin', 'HINT',
'REJECTING', {'::r', 'r'}, '/dev/video1', '']], 2719: [[2719,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', ''], [2719,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', ''], [2719,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', ''], [2719,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', ''], [2719,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', ''], [2719,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', ''], [2719,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', ''], [2719,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', ''], [2719,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', ''], [2719,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', '']], 3013:
[[3013, 'firefox', 'firefox', 'HINT', 'REJECTING', {'r'},
'/Bazy/tempfilm/', '']], 5152: [[5152, 'firefox-bin', 'firefox-bin',
'HINT', 'REJECTING', 'send', 'int', 'firefox-bin'], [5152,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', 'receive', 'int',
'firefox-bin']], 5180: [[5180, 'firefox-bin', 'firefox-bin', 'HINT',
'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/vendor', '']], 5254: [[5254,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/etc/ld.so.conf.d/', ''], [5254, 'firefox-bin', 'firefox-bin', 'HINT',
'REJECTING', {'::r', 'r'}, '/etc/ld.so.conf.d/', '']], 5257: [[5257,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5257,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5257,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5257,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5257,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/vendor', '']], 5343: [[5343,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'},
'/sys/devices/pci0000:00/0000:00:02.0/vendor', '']], 5576: [[5576,
'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'a', 'w'},
'/proc/5576/setgroups', ''], [5576, 'firefox-bin', 'firefox-bin',
'HINT', 'REJECTING', {'a', 'w'}, '/proc/5576/gid_map', '']], ...})
1822 #log[root] = handle_children('', '', log[root])
1823 #print(log)
1824 for pid in sorted(profile_changes.keys()):
1825 set_process(pid, profile_changes[pid])
1826
1827 log_dict = collapse_log()
1828
1829 ask_the_questions(log_dict)
1830
1831 finishing = False
log_dict undefined
global collapse_log = <function collapse_log>
/usr/lib64/python3.6/site-packages/apparmor/aa.py in collapse_log()
2012
2013 ptrace = prelog[aamode][profile][hat]['ptrace']
2014 for peer in ptrace.keys():
2015 for access in ptrace[peer].keys():
2016 ptrace_event = PtraceRule(access, peer,
log_event=True)
2017 if not is_known_rule(aa[profile][hat],
'ptrace', ptrace_event):
2018
log_dict[aamode][profile][hat]['ptrace'].add(ptrace_event)
2019
2020 sig = prelog[aamode][profile][hat]['signal']
2021 for peer in sig.keys():
global is_known_rule = <function is_known_rule>
global aa = defaultdict(<function hasher at
0x7f1017177ae8>,...rage.ProfileStorage object at 0x7f1015ccd978>})})
profile = 'chrome-sandbox'
hat = 'chrome-sandbox'
ptrace_event = <PtraceRule> ptrace read peer=chrome,
/usr/lib64/python3.6/site-packages/apparmor/aa.py in
is_known_rule(profile=<apparmor.profile_storage.ProfileStorage object>,
rule_type='ptrace', rule_obj=<PtraceRule> ptrace read peer=chrome,)
2995 original_aa[profile] = deepcopy(aa[profile])
2996
2997 def is_known_rule(profile, rule_type, rule_obj):
2998 # XXX get rid of get() checks after we have a proper function
to initialize a profile
2999 if profile.get(rule_type, False):
3000 if profile[rule_type].is_covered(rule_obj, False):
3001 return True
3002
3003 includelist = list(profile['include'].keys())
3004 checked = []
profile = <apparmor.profile_storage.ProfileStorage object>
rule_type = 'ptrace'
].is_covered undefined
rule_obj = <PtraceRule> ptrace read peer=chrome,
/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py in
is_covered(self=<PtraceRuleset>
ptrace read peer=/opt/google/\*/chrome,
</PtraceRuleset>, rule=<PtraceRule> ptrace read peer=chrome,,
check_allow_deny=False, check_audit=False)
413
414 def is_covered(self, rule, check_allow_deny=True,
check_audit=False):
415 '''return True if rule is covered by existing rules,
otherwise False'''
416
417 for r in self.rules:
418 if r.is_covered(rule, check_allow_deny, check_audit):
419 return True
420
421 return False
422
r = <PtraceRule> ptrace read peer=/opt/google/\*/chrome,
r.is_covered = <bound method BaseRule.is_covered of <PtraceRule> ptrace
read peer=/opt/google/\*/chrome,>
rule = <PtraceRule> ptrace read peer=chrome,
check_allow_deny = False
check_audit = False
/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py in
is_covered(self=<PtraceRule> ptrace read peer=/opt/google/\*/chrome,,
other_rule=<PtraceRule> ptrace read peer=chrome,,
check_allow_deny=False, check_audit=False)
153
154 if other_rule.audit and not self.audit:
155 return False
156
157 # still here? -> then the common part is covered, check
rule-specific things now
158 return self.is_covered_localvars(other_rule)
159
160 # @abstractmethod FIXME - uncomment when python3 only
161 def is_covered_localvars(self, other_rule):
162 '''check if the rule-specific parts of other_rule is
covered by this rule object'''
self = <PtraceRule> ptrace read peer=/opt/google/\*/chrome,
self.is_covered_localvars = <bound method
PtraceRule.is_covered_localvars of...aceRule> ptrace read
peer=/opt/google/\*/chrome,>
other_rule = <PtraceRule> ptrace read peer=chrome,
/usr/lib64/python3.6/site-packages/apparmor/rule/ptrace.py in
is_covered_localvars(self=<PtraceRule> ptrace read
peer=/opt/google/\*/chrome,, other_rule=<PtraceRule> ptrace read
peer=chrome,)
136 '''check if other_rule is covered by this rule object'''
137
138 if not self._is_covered_list(self.access, self.all_access,
other_rule.access, other_rule.all_access, 'access'):
139 return False
140
141 if not self._is_covered_aare_compat(self.peer,
self.all_peers, other_rule.peer, other_rule.all_peers, 'peer'):
142 return False
143
144 # still here? -> then it is covered
145 return True
self = <PtraceRule> ptrace read peer=/opt/google/\*/chrome,
self._is_covered_aare_compat = <bound method
BaseRule._is_covered_aare_compat o...aceRule> ptrace read
peer=/opt/google/\*/chrome,>
self.peer = AARE('/opt/google/\*/chrome')
self.all_peers = False
other_rule = <PtraceRule> ptrace read peer=chrome,
other_rule.peer = AARE('chrome')
other_rule.all_peers = False
/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py in
_is_covered_aare_compat(self=<PtraceRule> ptrace read
peer=/opt/google/\*/chrome,, self_value=AARE('/opt/google/\*/chrome'),
self_all=False, other_value='chrome', other_all=False, cond_name='peer')
197 Note: this function checks against other_value.regex,
which is not really correct, but avoids overly strict results when
matching one regex against another
198 '''
199 if type(other_value) == AARE:
200 other_value = other_value.regex
201
202 return self._is_covered_aare(self_value, self_all,
other_value, other_all, cond_name)
203
204 def _is_covered_aare(self, self_value, self_all, other_value,
other_all, cond_name):
205 '''check if other_* is covered by self_* - for AARE'''
206
self = <PtraceRule> ptrace read peer=/opt/google/\*/chrome,
self._is_covered_aare = <bound method BaseRule._is_covered_aare of
<PtraceRule> ptrace read peer=/opt/google/\*/chrome,>
self_value = AARE('/opt/google/\*/chrome')
self_all = False
other_value = 'chrome'
other_all = False
cond_name = 'peer'
/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py in
_is_covered_aare(self=<PtraceRule> ptrace read
peer=/opt/google/\*/chrome,, self_value=AARE('/opt/google/\*/chrome'),
self_all=False, other_value='chrome', other_all=False, cond_name='peer')
208 raise AppArmorBug('No %(cond_name)s specified in other
%(rule_name)s rule' % {'cond_name': cond_name, 'rule_name': self.rule_name})
209
210 if not self_all:
211 if other_all:
212 return False
213 if not self_value.match(other_value):
214 return False
215
216 # still here? -> then it is covered
217 return True
self_value = AARE('/opt/google/\*/chrome')
self_value.match = <bound method AARE.match of
AARE('/opt/google/\*/chrome')>
other_value = 'chrome'
/usr/lib64/python3.6/site-packages/apparmor/aare.py in
match(self=AARE('/opt/google/\*/chrome'), expression='chrome')
70 return self.is_equal(expression) # better safe
than sorry
71 elif not type_is_str(expression):
72 raise AppArmorBug('AARE.match() called with unknown
object: %s' % str(expression))
73
74 if self._regex_compiled is None:
75 self._regex_compiled =
re.compile(convert_regexp(self.regex))
76
77 return bool(self._regex_compiled.match(expression))
78
79 def is_equal(self, expression):
self = AARE('/opt/google/\*/chrome')
self._regex_compiled = None
global re = <module 're' from '/usr/lib64/python3.6/re.py'>
re.compile = <function compile>
global convert_regexp = <function convert_regexp>
self.regex = r'/opt/google/\*/chrome'
/usr/lib64/python3.6/re.py in
compile(pattern='^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$',
flags=0)
228 Empty matches are included in the result."""
229 return _compile(pattern, flags).finditer(string)
230
231 def compile(pattern, flags=0):
232 "Compile a regular expression pattern, returning a pattern
object."
233 return _compile(pattern, flags)
234
235 def purge():
236 "Clear the regular expression caches"
237 _cache.clear()
global _compile = <function _compile>
pattern = '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$'
flags = 0
/usr/lib64/python3.6/re.py in
_compile(pattern='^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$',
flags=0)
296 raise ValueError(
297 "cannot process flags argument with a compiled
pattern")
298 return pattern
299 if not sre_compile.isstring(pattern):
300 raise TypeError("first argument must be string or compiled
pattern")
301 p = sre_compile.compile(pattern, flags)
302 if not (flags & DEBUG):
303 if len(_cache) >= _MAXCACHE:
304 _cache.clear()
305 if p.flags & LOCALE:
p undefined
global sre_compile = <module 'sre_compile' from
'/usr/lib64/python3.6/sre_compile.py'>
sre_compile.compile = <function compile>
pattern = '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$'
flags = 0
/usr/lib64/python3.6/sre_compile.py in
compile(p='^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$',
flags=0)
557 def compile(p, flags=0):
558 # internal: convert pattern list to internal format
559
560 if isstring(p):
561 pattern = p
562 p = sre_parse.parse(p, flags)
563 else:
564 pattern = None
565
566 code = _code(p, flags)
p = '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$'
global sre_parse = <module 'sre_parse' from
'/usr/lib64/python3.6/sre_parse.py'>
sre_parse.parse = <function parse>
flags = 0
/usr/lib64/python3.6/sre_parse.py in
parse(str='^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$',
flags=0, pattern=<sre_parse.Pattern object>)
864
865 p.pattern.flags = fix_flags(str, p.pattern.flags)
866
867 if source.next is not None:
868 assert source.next == ")"
869 raise source.error("unbalanced parenthesis")
870
871 if flags & SRE_FLAG_DEBUG:
872 p.dump()
873
source = <sre_parse.Tokenizer object>
source.error = <bound method Tokenizer.error of <sre_parse.Tokenizer
object>>
error: unbalanced parenthesis at position 44
__cause__ = None
__class__ = <class 'sre_constants.error'>
__context__ = None
__delattr__ = <method-wrapper '__delattr__' of error object>
__dict__ = {'colno': 45, 'lineno': 1, 'msg': 'unbalanced
parenthesis', 'pattern':
'^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$', 'pos': 44}
__dir__ = <built-in method __dir__ of error object>
__doc__ = 'Exception raised for invalid regular expressions...he
column corresponding to pos (may be None)\n '
__eq__ = <method-wrapper '__eq__' of error object>
__format__ = <built-in method __format__ of error object>
__ge__ = <method-wrapper '__ge__' of error object>
__getattribute__ = <method-wrapper '__getattribute__' of error object>
__gt__ = <method-wrapper '__gt__' of error object>
__hash__ = <method-wrapper '__hash__' of error object>
__init__ = <bound method error.__init__ of error('unbalanced
parenthesis at position 44',)>
__init_subclass__ = <built-in method __init_subclass__ of type object>
__le__ = <method-wrapper '__le__' of error object>
__lt__ = <method-wrapper '__lt__' of error object>
__module__ = 'sre_constants'
__ne__ = <method-wrapper '__ne__' of error object>
__new__ = <built-in method __new__ of type object>
__reduce__ = <built-in method __reduce__ of error object>
__reduce_ex__ = <built-in method __reduce_ex__ of error object>
__repr__ = <method-wrapper '__repr__' of error object>
__setattr__ = <method-wrapper '__setattr__' of error object>
__setstate__ = <built-in method __setstate__ of error object>
__sizeof__ = <built-in method __sizeof__ of error object>
__str__ = <method-wrapper '__str__' of error object>
__subclasshook__ = <built-in method __subclasshook__ of type object>
__suppress_context__ = False
__traceback__ = <traceback object>
__weakref__ = None
args = ('unbalanced parenthesis at position 44',)
colno = 45
lineno = 1
msg = 'unbalanced parenthesis'
pattern = '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$'
pos = 44
with_traceback = <built-in method with_traceback of error object>
The above is a description of an error in a Python program. Here is
the original traceback:
Traceback (most recent call last):
File "/usr/lib/python-exec/python3.6/aa-logprof", line 56, in <module>
apparmor.do_logprof_pass(logmark)
File "/usr/lib64/python3.6/site-packages/apparmor/aa.py", line 1827,
in do_logprof_pass
log_dict = collapse_log()
File "/usr/lib64/python3.6/site-packages/apparmor/aa.py", line 2017,
in collapse_log
if not is_known_rule(aa[profile][hat], 'ptrace', ptrace_event):
File "/usr/lib64/python3.6/site-packages/apparmor/aa.py", line 3000,
in is_known_rule
if profile[rule_type].is_covered(rule_obj, False):
File "/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py",
line 418, in is_covered
if r.is_covered(rule, check_allow_deny, check_audit):
File "/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py",
line 158, in is_covered
return self.is_covered_localvars(other_rule)
File "/usr/lib64/python3.6/site-packages/apparmor/rule/ptrace.py",
line 141, in is_covered_localvars
if not self._is_covered_aare_compat(self.peer, self.all_peers,
other_rule.peer, other_rule.all_peers, 'peer'):
File "/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py",
line 202, in _is_covered_aare_compat
return self._is_covered_aare(self_value, self_all, other_value,
other_all, cond_name)
File "/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py",
line 213, in _is_covered_aare
if not self_value.match(other_value):
File "/usr/lib64/python3.6/site-packages/apparmor/aare.py", line 75,
in match
self._regex_compiled = re.compile(convert_regexp(self.regex))
File "/usr/lib64/python3.6/re.py", line 233, in compile
return _compile(pattern, flags)
File "/usr/lib64/python3.6/re.py", line 301, in _compile
p = sre_compile.compile(pattern, flags)
File "/usr/lib64/python3.6/sre_compile.py", line 562, in compile
p = sre_parse.parse(p, flags)
File "/usr/lib64/python3.6/sre_parse.py", line 869, in parse
raise source.error("unbalanced parenthesis")
sre_constants.error: unbalanced parenthesis at position 44
Please consider reporting a bug at https://bugs.launchpad.net/apparmor/
and attach this file.
Cheers
-------------- next part --------------
error
Python 3.6.9: /usr/bin/python3.6
Mon Oct 28 04:46:02 2019
A problem occurred in a Python script. Here is the sequence of
function calls leading up to the error, in the order they occurred.
/usr/lib/python-exec/python3.6/aa-logprof in <module>()
48
49 if profiledir:
50 apparmor.profile_dir = apparmor.get_full_path(profiledir)
51 if not os.path.isdir(apparmor.profile_dir):
52 raise apparmor.AppArmorException("%s is not a directory."%profiledir)
53
54 apparmor.loadincludes()
55
56 apparmor.do_logprof_pass(logmark)
57
apparmor = <module 'apparmor.aa' from '/usr/lib64/python3.6/site-packages/apparmor/aa.py'>
apparmor.do_logprof_pass = <function do_logprof_pass>
logmark = ''
/usr/lib64/python3.6/site-packages/apparmor/aa.py in do_logprof_pass(logmark='', passno=0, log_pid={1268: [[1268, 'firefox', 'firefox', 'HINT', 'REJECTING', {'r'}, '/Bazy/tempfilm/', '']], 2716: [[2716, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/dev/video0', ''], [2716, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/dev/video1', '']], 2719: [[2719, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', ''], [2719, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', ''], [2719, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', ''], [2719, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', ''], [2719, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', ''], [2719, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', ''], [2719, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', ''], [2719, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', ''], [2719, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', ''], [2719, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', '']], 3013: [[3013, 'firefox', 'firefox', 'HINT', 'REJECTING', {'r'}, '/Bazy/tempfilm/', '']], 5152: [[5152, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', 'send', 'int', 'firefox-bin'], [5152, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', 'receive', 'int', 'firefox-bin']], 5180: [[5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', '']], 5254: [[5254, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/etc/ld.so.conf.d/', ''], [5254, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/etc/ld.so.conf.d/', '']], 5257: [[5257, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5257, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5257, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5257, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5257, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', '']], 5343: [[5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', '']], 5576: [[5576, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'a', 'w'}, '/proc/5576/setgroups', ''], [5576, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'a', 'w'}, '/proc/5576/gid_map', '']], ...})
1822 #log[root] = handle_children('', '', log[root])
1823 #print(log)
1824 for pid in sorted(profile_changes.keys()):
1825 set_process(pid, profile_changes[pid])
1826
1827 log_dict = collapse_log()
1828
1829 ask_the_questions(log_dict)
1830
1831 finishing = False
log_dict undefined
global collapse_log = <function collapse_log>
/usr/lib64/python3.6/site-packages/apparmor/aa.py in collapse_log()
2012
2013 ptrace = prelog[aamode][profile][hat]['ptrace']
2014 for peer in ptrace.keys():
2015 for access in ptrace[peer].keys():
2016 ptrace_event = PtraceRule(access, peer, log_event=True)
2017 if not is_known_rule(aa[profile][hat], 'ptrace', ptrace_event):
2018 log_dict[aamode][profile][hat]['ptrace'].add(ptrace_event)
2019
2020 sig = prelog[aamode][profile][hat]['signal']
2021 for peer in sig.keys():
global is_known_rule = <function is_known_rule>
global aa = defaultdict(<function hasher at 0x7f770ebbbae8>,...rage.ProfileStorage object at 0x7f770d7119b0>})})
profile = 'chrome-sandbox'
hat = 'chrome-sandbox'
ptrace_event = <PtraceRule> ptrace read peer=chrome,
/usr/lib64/python3.6/site-packages/apparmor/aa.py in is_known_rule(profile=<apparmor.profile_storage.ProfileStorage object>, rule_type='ptrace', rule_obj=<PtraceRule> ptrace read peer=chrome,)
2995 original_aa[profile] = deepcopy(aa[profile])
2996
2997 def is_known_rule(profile, rule_type, rule_obj):
2998 # XXX get rid of get() checks after we have a proper function to initialize a profile
2999 if profile.get(rule_type, False):
3000 if profile[rule_type].is_covered(rule_obj, False):
3001 return True
3002
3003 includelist = list(profile['include'].keys())
3004 checked = []
profile = <apparmor.profile_storage.ProfileStorage object>
rule_type = 'ptrace'
].is_covered undefined
rule_obj = <PtraceRule> ptrace read peer=chrome,
/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py in is_covered(self=<PtraceRuleset>
ptrace read peer=/opt/google/\*/chrome,
</PtraceRuleset>, rule=<PtraceRule> ptrace read peer=chrome,, check_allow_deny=False, check_audit=False)
413
414 def is_covered(self, rule, check_allow_deny=True, check_audit=False):
415 '''return True if rule is covered by existing rules, otherwise False'''
416
417 for r in self.rules:
418 if r.is_covered(rule, check_allow_deny, check_audit):
419 return True
420
421 return False
422
r = <PtraceRule> ptrace read peer=/opt/google/\*/chrome,
r.is_covered = <bound method BaseRule.is_covered of <PtraceRule> ptrace read peer=/opt/google/\*/chrome,>
rule = <PtraceRule> ptrace read peer=chrome,
check_allow_deny = False
check_audit = False
/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py in is_covered(self=<PtraceRule> ptrace read peer=/opt/google/\*/chrome,, other_rule=<PtraceRule> ptrace read peer=chrome,, check_allow_deny=False, check_audit=False)
153
154 if other_rule.audit and not self.audit:
155 return False
156
157 # still here? -> then the common part is covered, check rule-specific things now
158 return self.is_covered_localvars(other_rule)
159
160 # @abstractmethod FIXME - uncomment when python3 only
161 def is_covered_localvars(self, other_rule):
162 '''check if the rule-specific parts of other_rule is covered by this rule object'''
self = <PtraceRule> ptrace read peer=/opt/google/\*/chrome,
self.is_covered_localvars = <bound method PtraceRule.is_covered_localvars of...aceRule> ptrace read peer=/opt/google/\*/chrome,>
other_rule = <PtraceRule> ptrace read peer=chrome,
/usr/lib64/python3.6/site-packages/apparmor/rule/ptrace.py in is_covered_localvars(self=<PtraceRule> ptrace read peer=/opt/google/\*/chrome,, other_rule=<PtraceRule> ptrace read peer=chrome,)
136 '''check if other_rule is covered by this rule object'''
137
138 if not self._is_covered_list(self.access, self.all_access, other_rule.access, other_rule.all_access, 'access'):
139 return False
140
141 if not self._is_covered_aare_compat(self.peer, self.all_peers, other_rule.peer, other_rule.all_peers, 'peer'):
142 return False
143
144 # still here? -> then it is covered
145 return True
self = <PtraceRule> ptrace read peer=/opt/google/\*/chrome,
self._is_covered_aare_compat = <bound method BaseRule._is_covered_aare_compat o...aceRule> ptrace read peer=/opt/google/\*/chrome,>
self.peer = AARE('/opt/google/\*/chrome')
self.all_peers = False
other_rule = <PtraceRule> ptrace read peer=chrome,
other_rule.peer = AARE('chrome')
other_rule.all_peers = False
/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py in _is_covered_aare_compat(self=<PtraceRule> ptrace read peer=/opt/google/\*/chrome,, self_value=AARE('/opt/google/\*/chrome'), self_all=False, other_value='chrome', other_all=False, cond_name='peer')
197 Note: this function checks against other_value.regex, which is not really correct, but avoids overly strict results when matching one regex against another
198 '''
199 if type(other_value) == AARE:
200 other_value = other_value.regex
201
202 return self._is_covered_aare(self_value, self_all, other_value, other_all, cond_name)
203
204 def _is_covered_aare(self, self_value, self_all, other_value, other_all, cond_name):
205 '''check if other_* is covered by self_* - for AARE'''
206
self = <PtraceRule> ptrace read peer=/opt/google/\*/chrome,
self._is_covered_aare = <bound method BaseRule._is_covered_aare of <PtraceRule> ptrace read peer=/opt/google/\*/chrome,>
self_value = AARE('/opt/google/\*/chrome')
self_all = False
other_value = 'chrome'
other_all = False
cond_name = 'peer'
/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py in _is_covered_aare(self=<PtraceRule> ptrace read peer=/opt/google/\*/chrome,, self_value=AARE('/opt/google/\*/chrome'), self_all=False, other_value='chrome', other_all=False, cond_name='peer')
208 raise AppArmorBug('No %(cond_name)s specified in other %(rule_name)s rule' % {'cond_name': cond_name, 'rule_name': self.rule_name})
209
210 if not self_all:
211 if other_all:
212 return False
213 if not self_value.match(other_value):
214 return False
215
216 # still here? -> then it is covered
217 return True
self_value = AARE('/opt/google/\*/chrome')
self_value.match = <bound method AARE.match of AARE('/opt/google/\*/chrome')>
other_value = 'chrome'
/usr/lib64/python3.6/site-packages/apparmor/aare.py in match(self=AARE('/opt/google/\*/chrome'), expression='chrome')
70 return self.is_equal(expression) # better safe than sorry
71 elif not type_is_str(expression):
72 raise AppArmorBug('AARE.match() called with unknown object: %s' % str(expression))
73
74 if self._regex_compiled is None:
75 self._regex_compiled = re.compile(convert_regexp(self.regex))
76
77 return bool(self._regex_compiled.match(expression))
78
79 def is_equal(self, expression):
self = AARE('/opt/google/\*/chrome')
self._regex_compiled = None
global re = <module 're' from '/usr/lib64/python3.6/re.py'>
re.compile = <function compile>
global convert_regexp = <function convert_regexp>
self.regex = r'/opt/google/\*/chrome'
/usr/lib64/python3.6/re.py in compile(pattern='^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$', flags=0)
228 Empty matches are included in the result."""
229 return _compile(pattern, flags).finditer(string)
230
231 def compile(pattern, flags=0):
232 "Compile a regular expression pattern, returning a pattern object."
233 return _compile(pattern, flags)
234
235 def purge():
236 "Clear the regular expression caches"
237 _cache.clear()
global _compile = <function _compile>
pattern = '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$'
flags = 0
/usr/lib64/python3.6/re.py in _compile(pattern='^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$', flags=0)
296 raise ValueError(
297 "cannot process flags argument with a compiled pattern")
298 return pattern
299 if not sre_compile.isstring(pattern):
300 raise TypeError("first argument must be string or compiled pattern")
301 p = sre_compile.compile(pattern, flags)
302 if not (flags & DEBUG):
303 if len(_cache) >= _MAXCACHE:
304 _cache.clear()
305 if p.flags & LOCALE:
p undefined
global sre_compile = <module 'sre_compile' from '/usr/lib64/python3.6/sre_compile.py'>
sre_compile.compile = <function compile>
pattern = '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$'
flags = 0
/usr/lib64/python3.6/sre_compile.py in compile(p='^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$', flags=0)
557 def compile(p, flags=0):
558 # internal: convert pattern list to internal format
559
560 if isstring(p):
561 pattern = p
562 p = sre_parse.parse(p, flags)
563 else:
564 pattern = None
565
566 code = _code(p, flags)
p = '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$'
global sre_parse = <module 'sre_parse' from '/usr/lib64/python3.6/sre_parse.py'>
sre_parse.parse = <function parse>
flags = 0
/usr/lib64/python3.6/sre_parse.py in parse(str='^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$', flags=0, pattern=<sre_parse.Pattern object>)
864
865 p.pattern.flags = fix_flags(str, p.pattern.flags)
866
867 if source.next is not None:
868 assert source.next == ")"
869 raise source.error("unbalanced parenthesis")
870
871 if flags & SRE_FLAG_DEBUG:
872 p.dump()
873
source = <sre_parse.Tokenizer object>
source.error = <bound method Tokenizer.error of <sre_parse.Tokenizer object>>
error: unbalanced parenthesis at position 44
__cause__ = None
__class__ = <class 'sre_constants.error'>
__context__ = None
__delattr__ = <method-wrapper '__delattr__' of error object>
__dict__ = {'colno': 45, 'lineno': 1, 'msg': 'unbalanced parenthesis', 'pattern': '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$', 'pos': 44}
__dir__ = <built-in method __dir__ of error object>
__doc__ = 'Exception raised for invalid regular expressions...he column corresponding to pos (may be None)\n '
__eq__ = <method-wrapper '__eq__' of error object>
__format__ = <built-in method __format__ of error object>
__ge__ = <method-wrapper '__ge__' of error object>
__getattribute__ = <method-wrapper '__getattribute__' of error object>
__gt__ = <method-wrapper '__gt__' of error object>
__hash__ = <method-wrapper '__hash__' of error object>
__init__ = <bound method error.__init__ of error('unbalanced parenthesis at position 44',)>
__init_subclass__ = <built-in method __init_subclass__ of type object>
__le__ = <method-wrapper '__le__' of error object>
__lt__ = <method-wrapper '__lt__' of error object>
__module__ = 'sre_constants'
__ne__ = <method-wrapper '__ne__' of error object>
__new__ = <built-in method __new__ of type object>
__reduce__ = <built-in method __reduce__ of error object>
__reduce_ex__ = <built-in method __reduce_ex__ of error object>
__repr__ = <method-wrapper '__repr__' of error object>
__setattr__ = <method-wrapper '__setattr__' of error object>
__setstate__ = <built-in method __setstate__ of error object>
__sizeof__ = <built-in method __sizeof__ of error object>
__str__ = <method-wrapper '__str__' of error object>
__subclasshook__ = <built-in method __subclasshook__ of type object>
__suppress_context__ = False
__traceback__ = <traceback object>
__weakref__ = None
args = ('unbalanced parenthesis at position 44',)
colno = 45
lineno = 1
msg = 'unbalanced parenthesis'
pattern = '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$'
pos = 44
with_traceback = <built-in method with_traceback of error object>
The above is a description of an error in a Python program. Here is
the original traceback:
Traceback (most recent call last):
File "/usr/lib/python-exec/python3.6/aa-logprof", line 56, in <module>
apparmor.do_logprof_pass(logmark)
File "/usr/lib64/python3.6/site-packages/apparmor/aa.py", line 1827, in do_logprof_pass
log_dict = collapse_log()
File "/usr/lib64/python3.6/site-packages/apparmor/aa.py", line 2017, in collapse_log
if not is_known_rule(aa[profile][hat], 'ptrace', ptrace_event):
File "/usr/lib64/python3.6/site-packages/apparmor/aa.py", line 3000, in is_known_rule
if profile[rule_type].is_covered(rule_obj, False):
File "/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py", line 418, in is_covered
if r.is_covered(rule, check_allow_deny, check_audit):
File "/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py", line 158, in is_covered
return self.is_covered_localvars(other_rule)
File "/usr/lib64/python3.6/site-packages/apparmor/rule/ptrace.py", line 141, in is_covered_localvars
if not self._is_covered_aare_compat(self.peer, self.all_peers, other_rule.peer, other_rule.all_peers, 'peer'):
File "/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py", line 202, in _is_covered_aare_compat
return self._is_covered_aare(self_value, self_all, other_value, other_all, cond_name)
File "/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py", line 213, in _is_covered_aare
if not self_value.match(other_value):
File "/usr/lib64/python3.6/site-packages/apparmor/aare.py", line 75, in match
self._regex_compiled = re.compile(convert_regexp(self.regex))
File "/usr/lib64/python3.6/re.py", line 233, in compile
return _compile(pattern, flags)
File "/usr/lib64/python3.6/re.py", line 301, in _compile
p = sre_compile.compile(pattern, flags)
File "/usr/lib64/python3.6/sre_compile.py", line 562, in compile
p = sre_parse.parse(p, flags)
File "/usr/lib64/python3.6/sre_parse.py", line 869, in parse
raise source.error("unbalanced parenthesis")
sre_constants.error: unbalanced parenthesis at position 44
Please consider reporting a bug at https://bugs.launchpad.net/apparmor/
and attach this file.
-------------- next part --------------
error
Python 3.6.9: /usr/bin/python3.6
Mon Oct 28 02:43:53 2019
A problem occurred in a Python script. Here is the sequence of
function calls leading up to the error, in the order they occurred.
/usr/lib/python-exec/python3.6/aa-logprof in <module>()
48
49 if profiledir:
50 apparmor.profile_dir = apparmor.get_full_path(profiledir)
51 if not os.path.isdir(apparmor.profile_dir):
52 raise apparmor.AppArmorException("%s is not a directory."%profiledir)
53
54 apparmor.loadincludes()
55
56 apparmor.do_logprof_pass(logmark)
57
apparmor = <module 'apparmor.aa' from '/usr/lib64/python3.6/site-packages/apparmor/aa.py'>
apparmor.do_logprof_pass = <function do_logprof_pass>
logmark = ''
/usr/lib64/python3.6/site-packages/apparmor/aa.py in do_logprof_pass(logmark='', passno=0, log_pid={3013: [[3013, 'firefox', 'firefox', 'HINT', 'REJECTING', {'r'}, '/Bazy/tempfilm/', '']], 5152: [[5152, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', 'send', 'int', 'firefox-bin'], [5152, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', 'receive', 'int', 'firefox-bin']], 5180: [[5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', '']], 5254: [[5254, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/etc/ld.so.conf.d/', '']], 5257: [[5257, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5257, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5257, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5257, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5257, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', '']], 5343: [[5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', '']], 5576: [[5576, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'a', 'w'}, '/proc/5576/setgroups', ''], [5576, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'a', 'w'}, '/proc/5576/gid_map', '']], 5597: [[5597, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'a', 'w'}, '/proc/5597/setgroups', ''], [5597, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'a', 'w'}, '/proc/5597/gid_map', '']], 5619: [[5619, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'a', 'w'}, '/proc/5619/setgroups', ''], [5619, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'a', 'w'}, '/proc/5619/gid_map', '']], 5656: [[5656, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'a', 'w'}, '/proc/5656/setgroups', ''], [5656, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'a', 'w'}, '/proc/5656/gid_map', '']], ...})
1822 #log[root] = handle_children('', '', log[root])
1823 #print(log)
1824 for pid in sorted(profile_changes.keys()):
1825 set_process(pid, profile_changes[pid])
1826
1827 log_dict = collapse_log()
1828
1829 ask_the_questions(log_dict)
1830
1831 finishing = False
log_dict undefined
global collapse_log = <function collapse_log>
/usr/lib64/python3.6/site-packages/apparmor/aa.py in collapse_log()
2012
2013 ptrace = prelog[aamode][profile][hat]['ptrace']
2014 for peer in ptrace.keys():
2015 for access in ptrace[peer].keys():
2016 ptrace_event = PtraceRule(access, peer, log_event=True)
2017 if not is_known_rule(aa[profile][hat], 'ptrace', ptrace_event):
2018 log_dict[aamode][profile][hat]['ptrace'].add(ptrace_event)
2019
2020 sig = prelog[aamode][profile][hat]['signal']
2021 for peer in sig.keys():
global is_known_rule = <function is_known_rule>
global aa = defaultdict(<function hasher at 0x7fc10fb77ae8>,...rage.ProfileStorage object at 0x7fc10e6cb5f8>})})
profile = 'chrome-sandbox'
hat = 'chrome-sandbox'
ptrace_event = <PtraceRule> ptrace read peer=chrome,
/usr/lib64/python3.6/site-packages/apparmor/aa.py in is_known_rule(profile=<apparmor.profile_storage.ProfileStorage object>, rule_type='ptrace', rule_obj=<PtraceRule> ptrace read peer=chrome,)
2995 original_aa[profile] = deepcopy(aa[profile])
2996
2997 def is_known_rule(profile, rule_type, rule_obj):
2998 # XXX get rid of get() checks after we have a proper function to initialize a profile
2999 if profile.get(rule_type, False):
3000 if profile[rule_type].is_covered(rule_obj, False):
3001 return True
3002
3003 includelist = list(profile['include'].keys())
3004 checked = []
profile = <apparmor.profile_storage.ProfileStorage object>
rule_type = 'ptrace'
].is_covered undefined
rule_obj = <PtraceRule> ptrace read peer=chrome,
/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py in is_covered(self=<PtraceRuleset>
ptrace read peer=/opt/google/\*/chrome,
</PtraceRuleset>, rule=<PtraceRule> ptrace read peer=chrome,, check_allow_deny=False, check_audit=False)
413
414 def is_covered(self, rule, check_allow_deny=True, check_audit=False):
415 '''return True if rule is covered by existing rules, otherwise False'''
416
417 for r in self.rules:
418 if r.is_covered(rule, check_allow_deny, check_audit):
419 return True
420
421 return False
422
r = <PtraceRule> ptrace read peer=/opt/google/\*/chrome,
r.is_covered = <bound method BaseRule.is_covered of <PtraceRule> ptrace read peer=/opt/google/\*/chrome,>
rule = <PtraceRule> ptrace read peer=chrome,
check_allow_deny = False
check_audit = False
/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py in is_covered(self=<PtraceRule> ptrace read peer=/opt/google/\*/chrome,, other_rule=<PtraceRule> ptrace read peer=chrome,, check_allow_deny=False, check_audit=False)
153
154 if other_rule.audit and not self.audit:
155 return False
156
157 # still here? -> then the common part is covered, check rule-specific things now
158 return self.is_covered_localvars(other_rule)
159
160 # @abstractmethod FIXME - uncomment when python3 only
161 def is_covered_localvars(self, other_rule):
162 '''check if the rule-specific parts of other_rule is covered by this rule object'''
self = <PtraceRule> ptrace read peer=/opt/google/\*/chrome,
self.is_covered_localvars = <bound method PtraceRule.is_covered_localvars of...aceRule> ptrace read peer=/opt/google/\*/chrome,>
other_rule = <PtraceRule> ptrace read peer=chrome,
/usr/lib64/python3.6/site-packages/apparmor/rule/ptrace.py in is_covered_localvars(self=<PtraceRule> ptrace read peer=/opt/google/\*/chrome,, other_rule=<PtraceRule> ptrace read peer=chrome,)
136 '''check if other_rule is covered by this rule object'''
137
138 if not self._is_covered_list(self.access, self.all_access, other_rule.access, other_rule.all_access, 'access'):
139 return False
140
141 if not self._is_covered_aare_compat(self.peer, self.all_peers, other_rule.peer, other_rule.all_peers, 'peer'):
142 return False
143
144 # still here? -> then it is covered
145 return True
self = <PtraceRule> ptrace read peer=/opt/google/\*/chrome,
self._is_covered_aare_compat = <bound method BaseRule._is_covered_aare_compat o...aceRule> ptrace read peer=/opt/google/\*/chrome,>
self.peer = AARE('/opt/google/\*/chrome')
self.all_peers = False
other_rule = <PtraceRule> ptrace read peer=chrome,
other_rule.peer = AARE('chrome')
other_rule.all_peers = False
/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py in _is_covered_aare_compat(self=<PtraceRule> ptrace read peer=/opt/google/\*/chrome,, self_value=AARE('/opt/google/\*/chrome'), self_all=False, other_value='chrome', other_all=False, cond_name='peer')
197 Note: this function checks against other_value.regex, which is not really correct, but avoids overly strict results when matching one regex against another
198 '''
199 if type(other_value) == AARE:
200 other_value = other_value.regex
201
202 return self._is_covered_aare(self_value, self_all, other_value, other_all, cond_name)
203
204 def _is_covered_aare(self, self_value, self_all, other_value, other_all, cond_name):
205 '''check if other_* is covered by self_* - for AARE'''
206
self = <PtraceRule> ptrace read peer=/opt/google/\*/chrome,
self._is_covered_aare = <bound method BaseRule._is_covered_aare of <PtraceRule> ptrace read peer=/opt/google/\*/chrome,>
self_value = AARE('/opt/google/\*/chrome')
self_all = False
other_value = 'chrome'
other_all = False
cond_name = 'peer'
/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py in _is_covered_aare(self=<PtraceRule> ptrace read peer=/opt/google/\*/chrome,, self_value=AARE('/opt/google/\*/chrome'), self_all=False, other_value='chrome', other_all=False, cond_name='peer')
208 raise AppArmorBug('No %(cond_name)s specified in other %(rule_name)s rule' % {'cond_name': cond_name, 'rule_name': self.rule_name})
209
210 if not self_all:
211 if other_all:
212 return False
213 if not self_value.match(other_value):
214 return False
215
216 # still here? -> then it is covered
217 return True
self_value = AARE('/opt/google/\*/chrome')
self_value.match = <bound method AARE.match of AARE('/opt/google/\*/chrome')>
other_value = 'chrome'
/usr/lib64/python3.6/site-packages/apparmor/aare.py in match(self=AARE('/opt/google/\*/chrome'), expression='chrome')
70 return self.is_equal(expression) # better safe than sorry
71 elif not type_is_str(expression):
72 raise AppArmorBug('AARE.match() called with unknown object: %s' % str(expression))
73
74 if self._regex_compiled is None:
75 self._regex_compiled = re.compile(convert_regexp(self.regex))
76
77 return bool(self._regex_compiled.match(expression))
78
79 def is_equal(self, expression):
self = AARE('/opt/google/\*/chrome')
self._regex_compiled = None
global re = <module 're' from '/usr/lib64/python3.6/re.py'>
re.compile = <function compile>
global convert_regexp = <function convert_regexp>
self.regex = r'/opt/google/\*/chrome'
/usr/lib64/python3.6/re.py in compile(pattern='^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$', flags=0)
228 Empty matches are included in the result."""
229 return _compile(pattern, flags).finditer(string)
230
231 def compile(pattern, flags=0):
232 "Compile a regular expression pattern, returning a pattern object."
233 return _compile(pattern, flags)
234
235 def purge():
236 "Clear the regular expression caches"
237 _cache.clear()
global _compile = <function _compile>
pattern = '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$'
flags = 0
/usr/lib64/python3.6/re.py in _compile(pattern='^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$', flags=0)
296 raise ValueError(
297 "cannot process flags argument with a compiled pattern")
298 return pattern
299 if not sre_compile.isstring(pattern):
300 raise TypeError("first argument must be string or compiled pattern")
301 p = sre_compile.compile(pattern, flags)
302 if not (flags & DEBUG):
303 if len(_cache) >= _MAXCACHE:
304 _cache.clear()
305 if p.flags & LOCALE:
p undefined
global sre_compile = <module 'sre_compile' from '/usr/lib64/python3.6/sre_compile.py'>
sre_compile.compile = <function compile>
pattern = '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$'
flags = 0
/usr/lib64/python3.6/sre_compile.py in compile(p='^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$', flags=0)
557 def compile(p, flags=0):
558 # internal: convert pattern list to internal format
559
560 if isstring(p):
561 pattern = p
562 p = sre_parse.parse(p, flags)
563 else:
564 pattern = None
565
566 code = _code(p, flags)
p = '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$'
global sre_parse = <module 'sre_parse' from '/usr/lib64/python3.6/sre_parse.py'>
sre_parse.parse = <function parse>
flags = 0
/usr/lib64/python3.6/sre_parse.py in parse(str='^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$', flags=0, pattern=<sre_parse.Pattern object>)
864
865 p.pattern.flags = fix_flags(str, p.pattern.flags)
866
867 if source.next is not None:
868 assert source.next == ")"
869 raise source.error("unbalanced parenthesis")
870
871 if flags & SRE_FLAG_DEBUG:
872 p.dump()
873
source = <sre_parse.Tokenizer object>
source.error = <bound method Tokenizer.error of <sre_parse.Tokenizer object>>
error: unbalanced parenthesis at position 44
__cause__ = None
__class__ = <class 'sre_constants.error'>
__context__ = None
__delattr__ = <method-wrapper '__delattr__' of error object>
__dict__ = {'colno': 45, 'lineno': 1, 'msg': 'unbalanced parenthesis', 'pattern': '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$', 'pos': 44}
__dir__ = <built-in method __dir__ of error object>
__doc__ = 'Exception raised for invalid regular expressions...he column corresponding to pos (may be None)\n '
__eq__ = <method-wrapper '__eq__' of error object>
__format__ = <built-in method __format__ of error object>
__ge__ = <method-wrapper '__ge__' of error object>
__getattribute__ = <method-wrapper '__getattribute__' of error object>
__gt__ = <method-wrapper '__gt__' of error object>
__hash__ = <method-wrapper '__hash__' of error object>
__init__ = <bound method error.__init__ of error('unbalanced parenthesis at position 44',)>
__init_subclass__ = <built-in method __init_subclass__ of type object>
__le__ = <method-wrapper '__le__' of error object>
__lt__ = <method-wrapper '__lt__' of error object>
__module__ = 'sre_constants'
__ne__ = <method-wrapper '__ne__' of error object>
__new__ = <built-in method __new__ of type object>
__reduce__ = <built-in method __reduce__ of error object>
__reduce_ex__ = <built-in method __reduce_ex__ of error object>
__repr__ = <method-wrapper '__repr__' of error object>
__setattr__ = <method-wrapper '__setattr__' of error object>
__setstate__ = <built-in method __setstate__ of error object>
__sizeof__ = <built-in method __sizeof__ of error object>
__str__ = <method-wrapper '__str__' of error object>
__subclasshook__ = <built-in method __subclasshook__ of type object>
__suppress_context__ = False
__traceback__ = <traceback object>
__weakref__ = None
args = ('unbalanced parenthesis at position 44',)
colno = 45
lineno = 1
msg = 'unbalanced parenthesis'
pattern = '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$'
pos = 44
with_traceback = <built-in method with_traceback of error object>
The above is a description of an error in a Python program. Here is
the original traceback:
Traceback (most recent call last):
File "/usr/lib/python-exec/python3.6/aa-logprof", line 56, in <module>
apparmor.do_logprof_pass(logmark)
File "/usr/lib64/python3.6/site-packages/apparmor/aa.py", line 1827, in do_logprof_pass
log_dict = collapse_log()
File "/usr/lib64/python3.6/site-packages/apparmor/aa.py", line 2017, in collapse_log
if not is_known_rule(aa[profile][hat], 'ptrace', ptrace_event):
File "/usr/lib64/python3.6/site-packages/apparmor/aa.py", line 3000, in is_known_rule
if profile[rule_type].is_covered(rule_obj, False):
File "/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py", line 418, in is_covered
if r.is_covered(rule, check_allow_deny, check_audit):
File "/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py", line 158, in is_covered
return self.is_covered_localvars(other_rule)
File "/usr/lib64/python3.6/site-packages/apparmor/rule/ptrace.py", line 141, in is_covered_localvars
if not self._is_covered_aare_compat(self.peer, self.all_peers, other_rule.peer, other_rule.all_peers, 'peer'):
File "/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py", line 202, in _is_covered_aare_compat
return self._is_covered_aare(self_value, self_all, other_value, other_all, cond_name)
File "/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py", line 213, in _is_covered_aare
if not self_value.match(other_value):
File "/usr/lib64/python3.6/site-packages/apparmor/aare.py", line 75, in match
self._regex_compiled = re.compile(convert_regexp(self.regex))
File "/usr/lib64/python3.6/re.py", line 233, in compile
return _compile(pattern, flags)
File "/usr/lib64/python3.6/re.py", line 301, in _compile
p = sre_compile.compile(pattern, flags)
File "/usr/lib64/python3.6/sre_compile.py", line 562, in compile
p = sre_parse.parse(p, flags)
File "/usr/lib64/python3.6/sre_parse.py", line 869, in parse
raise source.error("unbalanced parenthesis")
sre_constants.error: unbalanced parenthesis at position 44
Please consider reporting a bug at https://bugs.launchpad.net/apparmor/
and attach this file.
-------------- next part --------------
error
Python 3.6.9: /usr/bin/python3.6
Mon Oct 28 02:41:44 2019
A problem occurred in a Python script. Here is the sequence of
function calls leading up to the error, in the order they occurred.
/usr/lib/python-exec/python3.6/aa-logprof in <module>()
48
49 if profiledir:
50 apparmor.profile_dir = apparmor.get_full_path(profiledir)
51 if not os.path.isdir(apparmor.profile_dir):
52 raise apparmor.AppArmorException("%s is not a directory."%profiledir)
53
54 apparmor.loadincludes()
55
56 apparmor.do_logprof_pass(logmark)
57
apparmor = <module 'apparmor.aa' from '/usr/lib64/python3.6/site-packages/apparmor/aa.py'>
apparmor.do_logprof_pass = <function do_logprof_pass>
logmark = ''
/usr/lib64/python3.6/site-packages/apparmor/aa.py in do_logprof_pass(logmark='', passno=0, log_pid={3013: [[3013, 'firefox', 'firefox', 'HINT', 'REJECTING', {'r'}, '/Bazy/tempfilm/', '']], 5152: [[5152, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', 'send', 'int', 'firefox-bin'], [5152, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', 'receive', 'int', 'firefox-bin']], 5180: [[5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', '']], 5254: [[5254, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/etc/ld.so.conf.d/', '']], 5257: [[5257, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5257, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5257, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5257, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5257, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', '']], 5343: [[5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', '']], 5576: [[5576, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'a', 'w'}, '/proc/5576/setgroups', ''], [5576, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'a', 'w'}, '/proc/5576/gid_map', '']], 5597: [[5597, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'a', 'w'}, '/proc/5597/setgroups', ''], [5597, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'a', 'w'}, '/proc/5597/gid_map', '']], 5619: [[5619, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'a', 'w'}, '/proc/5619/setgroups', ''], [5619, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'a', 'w'}, '/proc/5619/gid_map', '']], 5656: [[5656, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'a', 'w'}, '/proc/5656/setgroups', ''], [5656, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'a', 'w'}, '/proc/5656/gid_map', '']], ...})
1822 #log[root] = handle_children('', '', log[root])
1823 #print(log)
1824 for pid in sorted(profile_changes.keys()):
1825 set_process(pid, profile_changes[pid])
1826
1827 log_dict = collapse_log()
1828
1829 ask_the_questions(log_dict)
1830
1831 finishing = False
log_dict undefined
global collapse_log = <function collapse_log>
/usr/lib64/python3.6/site-packages/apparmor/aa.py in collapse_log()
2012
2013 ptrace = prelog[aamode][profile][hat]['ptrace']
2014 for peer in ptrace.keys():
2015 for access in ptrace[peer].keys():
2016 ptrace_event = PtraceRule(access, peer, log_event=True)
2017 if not is_known_rule(aa[profile][hat], 'ptrace', ptrace_event):
2018 log_dict[aamode][profile][hat]['ptrace'].add(ptrace_event)
2019
2020 sig = prelog[aamode][profile][hat]['signal']
2021 for peer in sig.keys():
global is_known_rule = <function is_known_rule>
global aa = defaultdict(<function hasher at 0x7f3e366eaae8>,...rage.ProfileStorage object at 0x7f3e35242b38>})})
profile = 'chrome-sandbox'
hat = 'chrome-sandbox'
ptrace_event = <PtraceRule> ptrace read peer=chrome,
/usr/lib64/python3.6/site-packages/apparmor/aa.py in is_known_rule(profile=<apparmor.profile_storage.ProfileStorage object>, rule_type='ptrace', rule_obj=<PtraceRule> ptrace read peer=chrome,)
2995 original_aa[profile] = deepcopy(aa[profile])
2996
2997 def is_known_rule(profile, rule_type, rule_obj):
2998 # XXX get rid of get() checks after we have a proper function to initialize a profile
2999 if profile.get(rule_type, False):
3000 if profile[rule_type].is_covered(rule_obj, False):
3001 return True
3002
3003 includelist = list(profile['include'].keys())
3004 checked = []
profile = <apparmor.profile_storage.ProfileStorage object>
rule_type = 'ptrace'
].is_covered undefined
rule_obj = <PtraceRule> ptrace read peer=chrome,
/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py in is_covered(self=<PtraceRuleset>
ptrace read peer=/opt/google/\*/chrome,
</PtraceRuleset>, rule=<PtraceRule> ptrace read peer=chrome,, check_allow_deny=False, check_audit=False)
413
414 def is_covered(self, rule, check_allow_deny=True, check_audit=False):
415 '''return True if rule is covered by existing rules, otherwise False'''
416
417 for r in self.rules:
418 if r.is_covered(rule, check_allow_deny, check_audit):
419 return True
420
421 return False
422
r = <PtraceRule> ptrace read peer=/opt/google/\*/chrome,
r.is_covered = <bound method BaseRule.is_covered of <PtraceRule> ptrace read peer=/opt/google/\*/chrome,>
rule = <PtraceRule> ptrace read peer=chrome,
check_allow_deny = False
check_audit = False
/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py in is_covered(self=<PtraceRule> ptrace read peer=/opt/google/\*/chrome,, other_rule=<PtraceRule> ptrace read peer=chrome,, check_allow_deny=False, check_audit=False)
153
154 if other_rule.audit and not self.audit:
155 return False
156
157 # still here? -> then the common part is covered, check rule-specific things now
158 return self.is_covered_localvars(other_rule)
159
160 # @abstractmethod FIXME - uncomment when python3 only
161 def is_covered_localvars(self, other_rule):
162 '''check if the rule-specific parts of other_rule is covered by this rule object'''
self = <PtraceRule> ptrace read peer=/opt/google/\*/chrome,
self.is_covered_localvars = <bound method PtraceRule.is_covered_localvars of...aceRule> ptrace read peer=/opt/google/\*/chrome,>
other_rule = <PtraceRule> ptrace read peer=chrome,
/usr/lib64/python3.6/site-packages/apparmor/rule/ptrace.py in is_covered_localvars(self=<PtraceRule> ptrace read peer=/opt/google/\*/chrome,, other_rule=<PtraceRule> ptrace read peer=chrome,)
136 '''check if other_rule is covered by this rule object'''
137
138 if not self._is_covered_list(self.access, self.all_access, other_rule.access, other_rule.all_access, 'access'):
139 return False
140
141 if not self._is_covered_aare_compat(self.peer, self.all_peers, other_rule.peer, other_rule.all_peers, 'peer'):
142 return False
143
144 # still here? -> then it is covered
145 return True
self = <PtraceRule> ptrace read peer=/opt/google/\*/chrome,
self._is_covered_aare_compat = <bound method BaseRule._is_covered_aare_compat o...aceRule> ptrace read peer=/opt/google/\*/chrome,>
self.peer = AARE('/opt/google/\*/chrome')
self.all_peers = False
other_rule = <PtraceRule> ptrace read peer=chrome,
other_rule.peer = AARE('chrome')
other_rule.all_peers = False
/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py in _is_covered_aare_compat(self=<PtraceRule> ptrace read peer=/opt/google/\*/chrome,, self_value=AARE('/opt/google/\*/chrome'), self_all=False, other_value='chrome', other_all=False, cond_name='peer')
197 Note: this function checks against other_value.regex, which is not really correct, but avoids overly strict results when matching one regex against another
198 '''
199 if type(other_value) == AARE:
200 other_value = other_value.regex
201
202 return self._is_covered_aare(self_value, self_all, other_value, other_all, cond_name)
203
204 def _is_covered_aare(self, self_value, self_all, other_value, other_all, cond_name):
205 '''check if other_* is covered by self_* - for AARE'''
206
self = <PtraceRule> ptrace read peer=/opt/google/\*/chrome,
self._is_covered_aare = <bound method BaseRule._is_covered_aare of <PtraceRule> ptrace read peer=/opt/google/\*/chrome,>
self_value = AARE('/opt/google/\*/chrome')
self_all = False
other_value = 'chrome'
other_all = False
cond_name = 'peer'
/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py in _is_covered_aare(self=<PtraceRule> ptrace read peer=/opt/google/\*/chrome,, self_value=AARE('/opt/google/\*/chrome'), self_all=False, other_value='chrome', other_all=False, cond_name='peer')
208 raise AppArmorBug('No %(cond_name)s specified in other %(rule_name)s rule' % {'cond_name': cond_name, 'rule_name': self.rule_name})
209
210 if not self_all:
211 if other_all:
212 return False
213 if not self_value.match(other_value):
214 return False
215
216 # still here? -> then it is covered
217 return True
self_value = AARE('/opt/google/\*/chrome')
self_value.match = <bound method AARE.match of AARE('/opt/google/\*/chrome')>
other_value = 'chrome'
/usr/lib64/python3.6/site-packages/apparmor/aare.py in match(self=AARE('/opt/google/\*/chrome'), expression='chrome')
70 return self.is_equal(expression) # better safe than sorry
71 elif not type_is_str(expression):
72 raise AppArmorBug('AARE.match() called with unknown object: %s' % str(expression))
73
74 if self._regex_compiled is None:
75 self._regex_compiled = re.compile(convert_regexp(self.regex))
76
77 return bool(self._regex_compiled.match(expression))
78
79 def is_equal(self, expression):
self = AARE('/opt/google/\*/chrome')
self._regex_compiled = None
global re = <module 're' from '/usr/lib64/python3.6/re.py'>
re.compile = <function compile>
global convert_regexp = <function convert_regexp>
self.regex = r'/opt/google/\*/chrome'
/usr/lib64/python3.6/re.py in compile(pattern='^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$', flags=0)
228 Empty matches are included in the result."""
229 return _compile(pattern, flags).finditer(string)
230
231 def compile(pattern, flags=0):
232 "Compile a regular expression pattern, returning a pattern object."
233 return _compile(pattern, flags)
234
235 def purge():
236 "Clear the regular expression caches"
237 _cache.clear()
global _compile = <function _compile>
pattern = '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$'
flags = 0
/usr/lib64/python3.6/re.py in _compile(pattern='^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$', flags=0)
296 raise ValueError(
297 "cannot process flags argument with a compiled pattern")
298 return pattern
299 if not sre_compile.isstring(pattern):
300 raise TypeError("first argument must be string or compiled pattern")
301 p = sre_compile.compile(pattern, flags)
302 if not (flags & DEBUG):
303 if len(_cache) >= _MAXCACHE:
304 _cache.clear()
305 if p.flags & LOCALE:
p undefined
global sre_compile = <module 'sre_compile' from '/usr/lib64/python3.6/sre_compile.py'>
sre_compile.compile = <function compile>
pattern = '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$'
flags = 0
/usr/lib64/python3.6/sre_compile.py in compile(p='^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$', flags=0)
557 def compile(p, flags=0):
558 # internal: convert pattern list to internal format
559
560 if isstring(p):
561 pattern = p
562 p = sre_parse.parse(p, flags)
563 else:
564 pattern = None
565
566 code = _code(p, flags)
p = '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$'
global sre_parse = <module 'sre_parse' from '/usr/lib64/python3.6/sre_parse.py'>
sre_parse.parse = <function parse>
flags = 0
/usr/lib64/python3.6/sre_parse.py in parse(str='^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$', flags=0, pattern=<sre_parse.Pattern object>)
864
865 p.pattern.flags = fix_flags(str, p.pattern.flags)
866
867 if source.next is not None:
868 assert source.next == ")"
869 raise source.error("unbalanced parenthesis")
870
871 if flags & SRE_FLAG_DEBUG:
872 p.dump()
873
source = <sre_parse.Tokenizer object>
source.error = <bound method Tokenizer.error of <sre_parse.Tokenizer object>>
error: unbalanced parenthesis at position 44
__cause__ = None
__class__ = <class 'sre_constants.error'>
__context__ = None
__delattr__ = <method-wrapper '__delattr__' of error object>
__dict__ = {'colno': 45, 'lineno': 1, 'msg': 'unbalanced parenthesis', 'pattern': '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$', 'pos': 44}
__dir__ = <built-in method __dir__ of error object>
__doc__ = 'Exception raised for invalid regular expressions...he column corresponding to pos (may be None)\n '
__eq__ = <method-wrapper '__eq__' of error object>
__format__ = <built-in method __format__ of error object>
__ge__ = <method-wrapper '__ge__' of error object>
__getattribute__ = <method-wrapper '__getattribute__' of error object>
__gt__ = <method-wrapper '__gt__' of error object>
__hash__ = <method-wrapper '__hash__' of error object>
__init__ = <bound method error.__init__ of error('unbalanced parenthesis at position 44',)>
__init_subclass__ = <built-in method __init_subclass__ of type object>
__le__ = <method-wrapper '__le__' of error object>
__lt__ = <method-wrapper '__lt__' of error object>
__module__ = 'sre_constants'
__ne__ = <method-wrapper '__ne__' of error object>
__new__ = <built-in method __new__ of type object>
__reduce__ = <built-in method __reduce__ of error object>
__reduce_ex__ = <built-in method __reduce_ex__ of error object>
__repr__ = <method-wrapper '__repr__' of error object>
__setattr__ = <method-wrapper '__setattr__' of error object>
__setstate__ = <built-in method __setstate__ of error object>
__sizeof__ = <built-in method __sizeof__ of error object>
__str__ = <method-wrapper '__str__' of error object>
__subclasshook__ = <built-in method __subclasshook__ of type object>
__suppress_context__ = False
__traceback__ = <traceback object>
__weakref__ = None
args = ('unbalanced parenthesis at position 44',)
colno = 45
lineno = 1
msg = 'unbalanced parenthesis'
pattern = '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$'
pos = 44
with_traceback = <built-in method with_traceback of error object>
The above is a description of an error in a Python program. Here is
the original traceback:
Traceback (most recent call last):
File "/usr/lib/python-exec/python3.6/aa-logprof", line 56, in <module>
apparmor.do_logprof_pass(logmark)
File "/usr/lib64/python3.6/site-packages/apparmor/aa.py", line 1827, in do_logprof_pass
log_dict = collapse_log()
File "/usr/lib64/python3.6/site-packages/apparmor/aa.py", line 2017, in collapse_log
if not is_known_rule(aa[profile][hat], 'ptrace', ptrace_event):
File "/usr/lib64/python3.6/site-packages/apparmor/aa.py", line 3000, in is_known_rule
if profile[rule_type].is_covered(rule_obj, False):
File "/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py", line 418, in is_covered
if r.is_covered(rule, check_allow_deny, check_audit):
File "/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py", line 158, in is_covered
return self.is_covered_localvars(other_rule)
File "/usr/lib64/python3.6/site-packages/apparmor/rule/ptrace.py", line 141, in is_covered_localvars
if not self._is_covered_aare_compat(self.peer, self.all_peers, other_rule.peer, other_rule.all_peers, 'peer'):
File "/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py", line 202, in _is_covered_aare_compat
return self._is_covered_aare(self_value, self_all, other_value, other_all, cond_name)
File "/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py", line 213, in _is_covered_aare
if not self_value.match(other_value):
File "/usr/lib64/python3.6/site-packages/apparmor/aare.py", line 75, in match
self._regex_compiled = re.compile(convert_regexp(self.regex))
File "/usr/lib64/python3.6/re.py", line 233, in compile
return _compile(pattern, flags)
File "/usr/lib64/python3.6/re.py", line 301, in _compile
p = sre_compile.compile(pattern, flags)
File "/usr/lib64/python3.6/sre_compile.py", line 562, in compile
p = sre_parse.parse(p, flags)
File "/usr/lib64/python3.6/sre_parse.py", line 869, in parse
raise source.error("unbalanced parenthesis")
sre_constants.error: unbalanced parenthesis at position 44
Please consider reporting a bug at https://bugs.launchpad.net/apparmor/
and attach this file.
-------------- next part --------------
error
Python 3.6.9: /usr/bin/python3.6
Mon Oct 28 02:04:28 2019
A problem occurred in a Python script. Here is the sequence of
function calls leading up to the error, in the order they occurred.
/usr/lib/python-exec/python3.6/aa-logprof in <module>()
48
49 if profiledir:
50 apparmor.profile_dir = apparmor.get_full_path(profiledir)
51 if not os.path.isdir(apparmor.profile_dir):
52 raise apparmor.AppArmorException("%s is not a directory."%profiledir)
53
54 apparmor.loadincludes()
55
56 apparmor.do_logprof_pass(logmark)
57
apparmor = <module 'apparmor.aa' from '/usr/lib64/python3.6/site-packages/apparmor/aa.py'>
apparmor.do_logprof_pass = <function do_logprof_pass>
logmark = ''
/usr/lib64/python3.6/site-packages/apparmor/aa.py in do_logprof_pass(logmark='', passno=0, log_pid={3013: [[3013, 'firefox', 'firefox', 'HINT', 'REJECTING', {'r'}, '/Bazy/tempfilm/', '']], 11789: [[11789, 'Xwayland', 'Xwayland', 'HINT', 'REJECTING', 'read', 'chrome'], [11789, 'Xwayland', 'Xwayland', 'HINT', 'REJECTING', 'read', 'chrome'], [11789, 'Xwayland', 'Xwayland', 'HINT', 'REJECTING', 'read', 'chrome'], [11789, 'Xwayland', 'Xwayland', 'HINT', 'REJECTING', 'read', 'chrome'], [11789, 'Xwayland', 'Xwayland', 'HINT', 'REJECTING', 'read', 'chrome']], 15894: [[15894, 'chrome', 'chrome', 'HINT', 'REJECTING', {'::r', 'r'}, '/proc/sys/fs/inotify/max_user_watches', ''], [15894, 'chrome', 'chrome', 'HINT', 'REJECTING', {'a', 'w'}, '/proc/15894/clear_refs', '']], 19272: [[19272, 'chrome', 'chrome', 'HINT', 'REJECTING', {'::m', 'm'}, '/opt/google/chrome/WidevineCdm/_platform_specific/linux_x64/libwidevinecdm.so', '']], 20824: [[20824, 'chrome-sandbox', 'chrome-sandbox', 'HINT', 'REJECTING', 'read', 'chrome']], 21116: [[21116, 'chrome-sandbox', 'chrome-sandbox', 'HINT', 'REJECTING', 'read', 'chrome']], 21121: [[21121, 'chrome-sandbox', 'chrome-sandbox', 'HINT', 'REJECTING', 'read', 'chrome']], 21237: [[21237, 'chrome-sandbox', 'chrome-sandbox', 'HINT', 'REJECTING', 'read', 'chrome']], 21245: [[21245, 'chrome-sandbox', 'chrome-sandbox', 'HINT', 'REJECTING', 'read', 'chrome']], 21249: [[21249, 'chrome-sandbox', 'chrome-sandbox', 'HINT', 'REJECTING', 'read', 'chrome']], ...})
1822 #log[root] = handle_children('', '', log[root])
1823 #print(log)
1824 for pid in sorted(profile_changes.keys()):
1825 set_process(pid, profile_changes[pid])
1826
1827 log_dict = collapse_log()
1828
1829 ask_the_questions(log_dict)
1830
1831 finishing = False
log_dict undefined
global collapse_log = <function collapse_log>
/usr/lib64/python3.6/site-packages/apparmor/aa.py in collapse_log()
2012
2013 ptrace = prelog[aamode][profile][hat]['ptrace']
2014 for peer in ptrace.keys():
2015 for access in ptrace[peer].keys():
2016 ptrace_event = PtraceRule(access, peer, log_event=True)
2017 if not is_known_rule(aa[profile][hat], 'ptrace', ptrace_event):
2018 log_dict[aamode][profile][hat]['ptrace'].add(ptrace_event)
2019
2020 sig = prelog[aamode][profile][hat]['signal']
2021 for peer in sig.keys():
global is_known_rule = <function is_known_rule>
global aa = defaultdict(<function hasher at 0x7fc5749dbae8>,...rage.ProfileStorage object at 0x7fc5735339b0>})})
profile = 'chrome-sandbox'
hat = 'chrome-sandbox'
ptrace_event = <PtraceRule> ptrace read peer=chrome,
/usr/lib64/python3.6/site-packages/apparmor/aa.py in is_known_rule(profile=<apparmor.profile_storage.ProfileStorage object>, rule_type='ptrace', rule_obj=<PtraceRule> ptrace read peer=chrome,)
2995 original_aa[profile] = deepcopy(aa[profile])
2996
2997 def is_known_rule(profile, rule_type, rule_obj):
2998 # XXX get rid of get() checks after we have a proper function to initialize a profile
2999 if profile.get(rule_type, False):
3000 if profile[rule_type].is_covered(rule_obj, False):
3001 return True
3002
3003 includelist = list(profile['include'].keys())
3004 checked = []
profile = <apparmor.profile_storage.ProfileStorage object>
rule_type = 'ptrace'
].is_covered undefined
rule_obj = <PtraceRule> ptrace read peer=chrome,
/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py in is_covered(self=<PtraceRuleset>
ptrace read peer=/opt/google/\*/chrome,
</PtraceRuleset>, rule=<PtraceRule> ptrace read peer=chrome,, check_allow_deny=False, check_audit=False)
413
414 def is_covered(self, rule, check_allow_deny=True, check_audit=False):
415 '''return True if rule is covered by existing rules, otherwise False'''
416
417 for r in self.rules:
418 if r.is_covered(rule, check_allow_deny, check_audit):
419 return True
420
421 return False
422
r = <PtraceRule> ptrace read peer=/opt/google/\*/chrome,
r.is_covered = <bound method BaseRule.is_covered of <PtraceRule> ptrace read peer=/opt/google/\*/chrome,>
rule = <PtraceRule> ptrace read peer=chrome,
check_allow_deny = False
check_audit = False
/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py in is_covered(self=<PtraceRule> ptrace read peer=/opt/google/\*/chrome,, other_rule=<PtraceRule> ptrace read peer=chrome,, check_allow_deny=False, check_audit=False)
153
154 if other_rule.audit and not self.audit:
155 return False
156
157 # still here? -> then the common part is covered, check rule-specific things now
158 return self.is_covered_localvars(other_rule)
159
160 # @abstractmethod FIXME - uncomment when python3 only
161 def is_covered_localvars(self, other_rule):
162 '''check if the rule-specific parts of other_rule is covered by this rule object'''
self = <PtraceRule> ptrace read peer=/opt/google/\*/chrome,
self.is_covered_localvars = <bound method PtraceRule.is_covered_localvars of...aceRule> ptrace read peer=/opt/google/\*/chrome,>
other_rule = <PtraceRule> ptrace read peer=chrome,
/usr/lib64/python3.6/site-packages/apparmor/rule/ptrace.py in is_covered_localvars(self=<PtraceRule> ptrace read peer=/opt/google/\*/chrome,, other_rule=<PtraceRule> ptrace read peer=chrome,)
136 '''check if other_rule is covered by this rule object'''
137
138 if not self._is_covered_list(self.access, self.all_access, other_rule.access, other_rule.all_access, 'access'):
139 return False
140
141 if not self._is_covered_aare_compat(self.peer, self.all_peers, other_rule.peer, other_rule.all_peers, 'peer'):
142 return False
143
144 # still here? -> then it is covered
145 return True
self = <PtraceRule> ptrace read peer=/opt/google/\*/chrome,
self._is_covered_aare_compat = <bound method BaseRule._is_covered_aare_compat o...aceRule> ptrace read peer=/opt/google/\*/chrome,>
self.peer = AARE('/opt/google/\*/chrome')
self.all_peers = False
other_rule = <PtraceRule> ptrace read peer=chrome,
other_rule.peer = AARE('chrome')
other_rule.all_peers = False
/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py in _is_covered_aare_compat(self=<PtraceRule> ptrace read peer=/opt/google/\*/chrome,, self_value=AARE('/opt/google/\*/chrome'), self_all=False, other_value='chrome', other_all=False, cond_name='peer')
197 Note: this function checks against other_value.regex, which is not really correct, but avoids overly strict results when matching one regex against another
198 '''
199 if type(other_value) == AARE:
200 other_value = other_value.regex
201
202 return self._is_covered_aare(self_value, self_all, other_value, other_all, cond_name)
203
204 def _is_covered_aare(self, self_value, self_all, other_value, other_all, cond_name):
205 '''check if other_* is covered by self_* - for AARE'''
206
self = <PtraceRule> ptrace read peer=/opt/google/\*/chrome,
self._is_covered_aare = <bound method BaseRule._is_covered_aare of <PtraceRule> ptrace read peer=/opt/google/\*/chrome,>
self_value = AARE('/opt/google/\*/chrome')
self_all = False
other_value = 'chrome'
other_all = False
cond_name = 'peer'
/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py in _is_covered_aare(self=<PtraceRule> ptrace read peer=/opt/google/\*/chrome,, self_value=AARE('/opt/google/\*/chrome'), self_all=False, other_value='chrome', other_all=False, cond_name='peer')
208 raise AppArmorBug('No %(cond_name)s specified in other %(rule_name)s rule' % {'cond_name': cond_name, 'rule_name': self.rule_name})
209
210 if not self_all:
211 if other_all:
212 return False
213 if not self_value.match(other_value):
214 return False
215
216 # still here? -> then it is covered
217 return True
self_value = AARE('/opt/google/\*/chrome')
self_value.match = <bound method AARE.match of AARE('/opt/google/\*/chrome')>
other_value = 'chrome'
/usr/lib64/python3.6/site-packages/apparmor/aare.py in match(self=AARE('/opt/google/\*/chrome'), expression='chrome')
70 return self.is_equal(expression) # better safe than sorry
71 elif not type_is_str(expression):
72 raise AppArmorBug('AARE.match() called with unknown object: %s' % str(expression))
73
74 if self._regex_compiled is None:
75 self._regex_compiled = re.compile(convert_regexp(self.regex))
76
77 return bool(self._regex_compiled.match(expression))
78
79 def is_equal(self, expression):
self = AARE('/opt/google/\*/chrome')
self._regex_compiled = None
global re = <module 're' from '/usr/lib64/python3.6/re.py'>
re.compile = <function compile>
global convert_regexp = <function convert_regexp>
self.regex = r'/opt/google/\*/chrome'
/usr/lib64/python3.6/re.py in compile(pattern='^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$', flags=0)
228 Empty matches are included in the result."""
229 return _compile(pattern, flags).finditer(string)
230
231 def compile(pattern, flags=0):
232 "Compile a regular expression pattern, returning a pattern object."
233 return _compile(pattern, flags)
234
235 def purge():
236 "Clear the regular expression caches"
237 _cache.clear()
global _compile = <function _compile>
pattern = '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$'
flags = 0
/usr/lib64/python3.6/re.py in _compile(pattern='^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$', flags=0)
296 raise ValueError(
297 "cannot process flags argument with a compiled pattern")
298 return pattern
299 if not sre_compile.isstring(pattern):
300 raise TypeError("first argument must be string or compiled pattern")
301 p = sre_compile.compile(pattern, flags)
302 if not (flags & DEBUG):
303 if len(_cache) >= _MAXCACHE:
304 _cache.clear()
305 if p.flags & LOCALE:
p undefined
global sre_compile = <module 'sre_compile' from '/usr/lib64/python3.6/sre_compile.py'>
sre_compile.compile = <function compile>
pattern = '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$'
flags = 0
/usr/lib64/python3.6/sre_compile.py in compile(p='^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$', flags=0)
557 def compile(p, flags=0):
558 # internal: convert pattern list to internal format
559
560 if isstring(p):
561 pattern = p
562 p = sre_parse.parse(p, flags)
563 else:
564 pattern = None
565
566 code = _code(p, flags)
p = '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$'
global sre_parse = <module 'sre_parse' from '/usr/lib64/python3.6/sre_parse.py'>
sre_parse.parse = <function parse>
flags = 0
/usr/lib64/python3.6/sre_parse.py in parse(str='^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$', flags=0, pattern=<sre_parse.Pattern object>)
864
865 p.pattern.flags = fix_flags(str, p.pattern.flags)
866
867 if source.next is not None:
868 assert source.next == ")"
869 raise source.error("unbalanced parenthesis")
870
871 if flags & SRE_FLAG_DEBUG:
872 p.dump()
873
source = <sre_parse.Tokenizer object>
source.error = <bound method Tokenizer.error of <sre_parse.Tokenizer object>>
error: unbalanced parenthesis at position 44
__cause__ = None
__class__ = <class 'sre_constants.error'>
__context__ = None
__delattr__ = <method-wrapper '__delattr__' of error object>
__dict__ = {'colno': 45, 'lineno': 1, 'msg': 'unbalanced parenthesis', 'pattern': '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$', 'pos': 44}
__dir__ = <built-in method __dir__ of error object>
__doc__ = 'Exception raised for invalid regular expressions...he column corresponding to pos (may be None)\n '
__eq__ = <method-wrapper '__eq__' of error object>
__format__ = <built-in method __format__ of error object>
__ge__ = <method-wrapper '__ge__' of error object>
__getattribute__ = <method-wrapper '__getattribute__' of error object>
__gt__ = <method-wrapper '__gt__' of error object>
__hash__ = <method-wrapper '__hash__' of error object>
__init__ = <bound method error.__init__ of error('unbalanced parenthesis at position 44',)>
__init_subclass__ = <built-in method __init_subclass__ of type object>
__le__ = <method-wrapper '__le__' of error object>
__lt__ = <method-wrapper '__lt__' of error object>
__module__ = 'sre_constants'
__ne__ = <method-wrapper '__ne__' of error object>
__new__ = <built-in method __new__ of type object>
__reduce__ = <built-in method __reduce__ of error object>
__reduce_ex__ = <built-in method __reduce_ex__ of error object>
__repr__ = <method-wrapper '__repr__' of error object>
__setattr__ = <method-wrapper '__setattr__' of error object>
__setstate__ = <built-in method __setstate__ of error object>
__sizeof__ = <built-in method __sizeof__ of error object>
__str__ = <method-wrapper '__str__' of error object>
__subclasshook__ = <built-in method __subclasshook__ of type object>
__suppress_context__ = False
__traceback__ = <traceback object>
__weakref__ = None
args = ('unbalanced parenthesis at position 44',)
colno = 45
lineno = 1
msg = 'unbalanced parenthesis'
pattern = '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$'
pos = 44
with_traceback = <built-in method with_traceback of error object>
The above is a description of an error in a Python program. Here is
the original traceback:
Traceback (most recent call last):
File "/usr/lib/python-exec/python3.6/aa-logprof", line 56, in <module>
apparmor.do_logprof_pass(logmark)
File "/usr/lib64/python3.6/site-packages/apparmor/aa.py", line 1827, in do_logprof_pass
log_dict = collapse_log()
File "/usr/lib64/python3.6/site-packages/apparmor/aa.py", line 2017, in collapse_log
if not is_known_rule(aa[profile][hat], 'ptrace', ptrace_event):
File "/usr/lib64/python3.6/site-packages/apparmor/aa.py", line 3000, in is_known_rule
if profile[rule_type].is_covered(rule_obj, False):
File "/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py", line 418, in is_covered
if r.is_covered(rule, check_allow_deny, check_audit):
File "/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py", line 158, in is_covered
return self.is_covered_localvars(other_rule)
File "/usr/lib64/python3.6/site-packages/apparmor/rule/ptrace.py", line 141, in is_covered_localvars
if not self._is_covered_aare_compat(self.peer, self.all_peers, other_rule.peer, other_rule.all_peers, 'peer'):
File "/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py", line 202, in _is_covered_aare_compat
return self._is_covered_aare(self_value, self_all, other_value, other_all, cond_name)
File "/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py", line 213, in _is_covered_aare
if not self_value.match(other_value):
File "/usr/lib64/python3.6/site-packages/apparmor/aare.py", line 75, in match
self._regex_compiled = re.compile(convert_regexp(self.regex))
File "/usr/lib64/python3.6/re.py", line 233, in compile
return _compile(pattern, flags)
File "/usr/lib64/python3.6/re.py", line 301, in _compile
p = sre_compile.compile(pattern, flags)
File "/usr/lib64/python3.6/sre_compile.py", line 562, in compile
p = sre_parse.parse(p, flags)
File "/usr/lib64/python3.6/sre_parse.py", line 869, in parse
raise source.error("unbalanced parenthesis")
sre_constants.error: unbalanced parenthesis at position 44
Please consider reporting a bug at https://bugs.launchpad.net/apparmor/
and attach this file.
-------------- next part --------------
error
Python 3.6.9: /usr/bin/python3.6
Mon Oct 28 04:46:06 2019
A problem occurred in a Python script. Here is the sequence of
function calls leading up to the error, in the order they occurred.
/usr/lib/python-exec/python3.6/aa-logprof in <module>()
48
49 if profiledir:
50 apparmor.profile_dir = apparmor.get_full_path(profiledir)
51 if not os.path.isdir(apparmor.profile_dir):
52 raise apparmor.AppArmorException("%s is not a directory."%profiledir)
53
54 apparmor.loadincludes()
55
56 apparmor.do_logprof_pass(logmark)
57
apparmor = <module 'apparmor.aa' from '/usr/lib64/python3.6/site-packages/apparmor/aa.py'>
apparmor.do_logprof_pass = <function do_logprof_pass>
logmark = ''
/usr/lib64/python3.6/site-packages/apparmor/aa.py in do_logprof_pass(logmark='', passno=0, log_pid={1268: [[1268, 'firefox', 'firefox', 'HINT', 'REJECTING', {'r'}, '/Bazy/tempfilm/', '']], 2716: [[2716, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/dev/video0', ''], [2716, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/dev/video1', '']], 2719: [[2719, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', ''], [2719, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', ''], [2719, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', ''], [2719, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', ''], [2719, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', ''], [2719, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', ''], [2719, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', ''], [2719, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', ''], [2719, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', ''], [2719, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/subsystem_device', '']], 3013: [[3013, 'firefox', 'firefox', 'HINT', 'REJECTING', {'r'}, '/Bazy/tempfilm/', '']], 5152: [[5152, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', 'send', 'int', 'firefox-bin'], [5152, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', 'receive', 'int', 'firefox-bin']], 5180: [[5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5180, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', '']], 5254: [[5254, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/etc/ld.so.conf.d/', ''], [5254, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/etc/ld.so.conf.d/', '']], 5257: [[5257, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5257, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5257, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5257, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5257, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', '']], 5343: [[5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', ''], [5343, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'::r', 'r'}, '/sys/devices/pci0000:00/0000:00:02.0/vendor', '']], 5576: [[5576, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'a', 'w'}, '/proc/5576/setgroups', ''], [5576, 'firefox-bin', 'firefox-bin', 'HINT', 'REJECTING', {'a', 'w'}, '/proc/5576/gid_map', '']], ...})
1822 #log[root] = handle_children('', '', log[root])
1823 #print(log)
1824 for pid in sorted(profile_changes.keys()):
1825 set_process(pid, profile_changes[pid])
1826
1827 log_dict = collapse_log()
1828
1829 ask_the_questions(log_dict)
1830
1831 finishing = False
log_dict undefined
global collapse_log = <function collapse_log>
/usr/lib64/python3.6/site-packages/apparmor/aa.py in collapse_log()
2012
2013 ptrace = prelog[aamode][profile][hat]['ptrace']
2014 for peer in ptrace.keys():
2015 for access in ptrace[peer].keys():
2016 ptrace_event = PtraceRule(access, peer, log_event=True)
2017 if not is_known_rule(aa[profile][hat], 'ptrace', ptrace_event):
2018 log_dict[aamode][profile][hat]['ptrace'].add(ptrace_event)
2019
2020 sig = prelog[aamode][profile][hat]['signal']
2021 for peer in sig.keys():
global is_known_rule = <function is_known_rule>
global aa = defaultdict(<function hasher at 0x7f1017177ae8>,...rage.ProfileStorage object at 0x7f1015ccd978>})})
profile = 'chrome-sandbox'
hat = 'chrome-sandbox'
ptrace_event = <PtraceRule> ptrace read peer=chrome,
/usr/lib64/python3.6/site-packages/apparmor/aa.py in is_known_rule(profile=<apparmor.profile_storage.ProfileStorage object>, rule_type='ptrace', rule_obj=<PtraceRule> ptrace read peer=chrome,)
2995 original_aa[profile] = deepcopy(aa[profile])
2996
2997 def is_known_rule(profile, rule_type, rule_obj):
2998 # XXX get rid of get() checks after we have a proper function to initialize a profile
2999 if profile.get(rule_type, False):
3000 if profile[rule_type].is_covered(rule_obj, False):
3001 return True
3002
3003 includelist = list(profile['include'].keys())
3004 checked = []
profile = <apparmor.profile_storage.ProfileStorage object>
rule_type = 'ptrace'
].is_covered undefined
rule_obj = <PtraceRule> ptrace read peer=chrome,
/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py in is_covered(self=<PtraceRuleset>
ptrace read peer=/opt/google/\*/chrome,
</PtraceRuleset>, rule=<PtraceRule> ptrace read peer=chrome,, check_allow_deny=False, check_audit=False)
413
414 def is_covered(self, rule, check_allow_deny=True, check_audit=False):
415 '''return True if rule is covered by existing rules, otherwise False'''
416
417 for r in self.rules:
418 if r.is_covered(rule, check_allow_deny, check_audit):
419 return True
420
421 return False
422
r = <PtraceRule> ptrace read peer=/opt/google/\*/chrome,
r.is_covered = <bound method BaseRule.is_covered of <PtraceRule> ptrace read peer=/opt/google/\*/chrome,>
rule = <PtraceRule> ptrace read peer=chrome,
check_allow_deny = False
check_audit = False
/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py in is_covered(self=<PtraceRule> ptrace read peer=/opt/google/\*/chrome,, other_rule=<PtraceRule> ptrace read peer=chrome,, check_allow_deny=False, check_audit=False)
153
154 if other_rule.audit and not self.audit:
155 return False
156
157 # still here? -> then the common part is covered, check rule-specific things now
158 return self.is_covered_localvars(other_rule)
159
160 # @abstractmethod FIXME - uncomment when python3 only
161 def is_covered_localvars(self, other_rule):
162 '''check if the rule-specific parts of other_rule is covered by this rule object'''
self = <PtraceRule> ptrace read peer=/opt/google/\*/chrome,
self.is_covered_localvars = <bound method PtraceRule.is_covered_localvars of...aceRule> ptrace read peer=/opt/google/\*/chrome,>
other_rule = <PtraceRule> ptrace read peer=chrome,
/usr/lib64/python3.6/site-packages/apparmor/rule/ptrace.py in is_covered_localvars(self=<PtraceRule> ptrace read peer=/opt/google/\*/chrome,, other_rule=<PtraceRule> ptrace read peer=chrome,)
136 '''check if other_rule is covered by this rule object'''
137
138 if not self._is_covered_list(self.access, self.all_access, other_rule.access, other_rule.all_access, 'access'):
139 return False
140
141 if not self._is_covered_aare_compat(self.peer, self.all_peers, other_rule.peer, other_rule.all_peers, 'peer'):
142 return False
143
144 # still here? -> then it is covered
145 return True
self = <PtraceRule> ptrace read peer=/opt/google/\*/chrome,
self._is_covered_aare_compat = <bound method BaseRule._is_covered_aare_compat o...aceRule> ptrace read peer=/opt/google/\*/chrome,>
self.peer = AARE('/opt/google/\*/chrome')
self.all_peers = False
other_rule = <PtraceRule> ptrace read peer=chrome,
other_rule.peer = AARE('chrome')
other_rule.all_peers = False
/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py in _is_covered_aare_compat(self=<PtraceRule> ptrace read peer=/opt/google/\*/chrome,, self_value=AARE('/opt/google/\*/chrome'), self_all=False, other_value='chrome', other_all=False, cond_name='peer')
197 Note: this function checks against other_value.regex, which is not really correct, but avoids overly strict results when matching one regex against another
198 '''
199 if type(other_value) == AARE:
200 other_value = other_value.regex
201
202 return self._is_covered_aare(self_value, self_all, other_value, other_all, cond_name)
203
204 def _is_covered_aare(self, self_value, self_all, other_value, other_all, cond_name):
205 '''check if other_* is covered by self_* - for AARE'''
206
self = <PtraceRule> ptrace read peer=/opt/google/\*/chrome,
self._is_covered_aare = <bound method BaseRule._is_covered_aare of <PtraceRule> ptrace read peer=/opt/google/\*/chrome,>
self_value = AARE('/opt/google/\*/chrome')
self_all = False
other_value = 'chrome'
other_all = False
cond_name = 'peer'
/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py in _is_covered_aare(self=<PtraceRule> ptrace read peer=/opt/google/\*/chrome,, self_value=AARE('/opt/google/\*/chrome'), self_all=False, other_value='chrome', other_all=False, cond_name='peer')
208 raise AppArmorBug('No %(cond_name)s specified in other %(rule_name)s rule' % {'cond_name': cond_name, 'rule_name': self.rule_name})
209
210 if not self_all:
211 if other_all:
212 return False
213 if not self_value.match(other_value):
214 return False
215
216 # still here? -> then it is covered
217 return True
self_value = AARE('/opt/google/\*/chrome')
self_value.match = <bound method AARE.match of AARE('/opt/google/\*/chrome')>
other_value = 'chrome'
/usr/lib64/python3.6/site-packages/apparmor/aare.py in match(self=AARE('/opt/google/\*/chrome'), expression='chrome')
70 return self.is_equal(expression) # better safe than sorry
71 elif not type_is_str(expression):
72 raise AppArmorBug('AARE.match() called with unknown object: %s' % str(expression))
73
74 if self._regex_compiled is None:
75 self._regex_compiled = re.compile(convert_regexp(self.regex))
76
77 return bool(self._regex_compiled.match(expression))
78
79 def is_equal(self, expression):
self = AARE('/opt/google/\*/chrome')
self._regex_compiled = None
global re = <module 're' from '/usr/lib64/python3.6/re.py'>
re.compile = <function compile>
global convert_regexp = <function convert_regexp>
self.regex = r'/opt/google/\*/chrome'
/usr/lib64/python3.6/re.py in compile(pattern='^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$', flags=0)
228 Empty matches are included in the result."""
229 return _compile(pattern, flags).finditer(string)
230
231 def compile(pattern, flags=0):
232 "Compile a regular expression pattern, returning a pattern object."
233 return _compile(pattern, flags)
234
235 def purge():
236 "Clear the regular expression caches"
237 _cache.clear()
global _compile = <function _compile>
pattern = '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$'
flags = 0
/usr/lib64/python3.6/re.py in _compile(pattern='^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$', flags=0)
296 raise ValueError(
297 "cannot process flags argument with a compiled pattern")
298 return pattern
299 if not sre_compile.isstring(pattern):
300 raise TypeError("first argument must be string or compiled pattern")
301 p = sre_compile.compile(pattern, flags)
302 if not (flags & DEBUG):
303 if len(_cache) >= _MAXCACHE:
304 _cache.clear()
305 if p.flags & LOCALE:
p undefined
global sre_compile = <module 'sre_compile' from '/usr/lib64/python3.6/sre_compile.py'>
sre_compile.compile = <function compile>
pattern = '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$'
flags = 0
/usr/lib64/python3.6/sre_compile.py in compile(p='^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$', flags=0)
557 def compile(p, flags=0):
558 # internal: convert pattern list to internal format
559
560 if isstring(p):
561 pattern = p
562 p = sre_parse.parse(p, flags)
563 else:
564 pattern = None
565
566 code = _code(p, flags)
p = '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$'
global sre_parse = <module 'sre_parse' from '/usr/lib64/python3.6/sre_parse.py'>
sre_parse.parse = <function parse>
flags = 0
/usr/lib64/python3.6/sre_parse.py in parse(str='^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$', flags=0, pattern=<sre_parse.Pattern object>)
864
865 p.pattern.flags = fix_flags(str, p.pattern.flags)
866
867 if source.next is not None:
868 assert source.next == ")"
869 raise source.error("unbalanced parenthesis")
870
871 if flags & SRE_FLAG_DEBUG:
872 p.dump()
873
source = <sre_parse.Tokenizer object>
source.error = <bound method Tokenizer.error of <sre_parse.Tokenizer object>>
error: unbalanced parenthesis at position 44
__cause__ = None
__class__ = <class 'sre_constants.error'>
__context__ = None
__delattr__ = <method-wrapper '__delattr__' of error object>
__dict__ = {'colno': 45, 'lineno': 1, 'msg': 'unbalanced parenthesis', 'pattern': '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$', 'pos': 44}
__dir__ = <built-in method __dir__ of error object>
__doc__ = 'Exception raised for invalid regular expressions...he column corresponding to pos (may be None)\n '
__eq__ = <method-wrapper '__eq__' of error object>
__format__ = <built-in method __format__ of error object>
__ge__ = <method-wrapper '__ge__' of error object>
__getattribute__ = <method-wrapper '__getattribute__' of error object>
__gt__ = <method-wrapper '__gt__' of error object>
__hash__ = <method-wrapper '__hash__' of error object>
__init__ = <bound method error.__init__ of error('unbalanced parenthesis at position 44',)>
__init_subclass__ = <built-in method __init_subclass__ of type object>
__le__ = <method-wrapper '__le__' of error object>
__lt__ = <method-wrapper '__lt__' of error object>
__module__ = 'sre_constants'
__ne__ = <method-wrapper '__ne__' of error object>
__new__ = <built-in method __new__ of type object>
__reduce__ = <built-in method __reduce__ of error object>
__reduce_ex__ = <built-in method __reduce_ex__ of error object>
__repr__ = <method-wrapper '__repr__' of error object>
__setattr__ = <method-wrapper '__setattr__' of error object>
__setstate__ = <built-in method __setstate__ of error object>
__sizeof__ = <built-in method __sizeof__ of error object>
__str__ = <method-wrapper '__str__' of error object>
__subclasshook__ = <built-in method __subclasshook__ of type object>
__suppress_context__ = False
__traceback__ = <traceback object>
__weakref__ = None
args = ('unbalanced parenthesis at position 44',)
colno = 45
lineno = 1
msg = 'unbalanced parenthesis'
pattern = '^/opt/google/\\(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))/chrome$'
pos = 44
with_traceback = <built-in method with_traceback of error object>
The above is a description of an error in a Python program. Here is
the original traceback:
Traceback (most recent call last):
File "/usr/lib/python-exec/python3.6/aa-logprof", line 56, in <module>
apparmor.do_logprof_pass(logmark)
File "/usr/lib64/python3.6/site-packages/apparmor/aa.py", line 1827, in do_logprof_pass
log_dict = collapse_log()
File "/usr/lib64/python3.6/site-packages/apparmor/aa.py", line 2017, in collapse_log
if not is_known_rule(aa[profile][hat], 'ptrace', ptrace_event):
File "/usr/lib64/python3.6/site-packages/apparmor/aa.py", line 3000, in is_known_rule
if profile[rule_type].is_covered(rule_obj, False):
File "/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py", line 418, in is_covered
if r.is_covered(rule, check_allow_deny, check_audit):
File "/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py", line 158, in is_covered
return self.is_covered_localvars(other_rule)
File "/usr/lib64/python3.6/site-packages/apparmor/rule/ptrace.py", line 141, in is_covered_localvars
if not self._is_covered_aare_compat(self.peer, self.all_peers, other_rule.peer, other_rule.all_peers, 'peer'):
File "/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py", line 202, in _is_covered_aare_compat
return self._is_covered_aare(self_value, self_all, other_value, other_all, cond_name)
File "/usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py", line 213, in _is_covered_aare
if not self_value.match(other_value):
File "/usr/lib64/python3.6/site-packages/apparmor/aare.py", line 75, in match
self._regex_compiled = re.compile(convert_regexp(self.regex))
File "/usr/lib64/python3.6/re.py", line 233, in compile
return _compile(pattern, flags)
File "/usr/lib64/python3.6/re.py", line 301, in _compile
p = sre_compile.compile(pattern, flags)
File "/usr/lib64/python3.6/sre_compile.py", line 562, in compile
p = sre_parse.parse(p, flags)
File "/usr/lib64/python3.6/sre_parse.py", line 869, in parse
raise source.error("unbalanced parenthesis")
sre_constants.error: unbalanced parenthesis at position 44
Please consider reporting a bug at https://bugs.launchpad.net/apparmor/
and attach this file.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20191028/dc7f42a5/attachment-0001.sig>
More information about the AppArmor
mailing list