Ubuntu
apparmor package

FTBFS on lucid

Bug #474751 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Critical
Jamie Strandboge
apparmor (Ubuntu)
Fix Released
Critical
Jamie Strandboge

Bug Description

Binary package hint: apparmor

Several of the basic network tests fail on lucid:
simple_tests/network/network_ok_2.sd
simple_tests/network/network_ok_3.sd
simple_tests/network/network_ok_4.sd

Eg:
$ debuild -us -uc
... it fails ...
$ cd parser/tst
$ ../apparmor_parser -S -I `pwd`/simple_tests < ./simple_tests/network/network_ok_2.sd > /dev/null
../apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
AppArmor parser error, line 7: Invalid network entry.
[1]

Looking at network_ok_2.sd, I then tried commented out the different 'network' rules, and found that only inet and inet6 would work. I then noticed that in 9.10, /usr/include/linux/socket.h included the needed defines. These are missing in Lucid.

See original description
Jamie Strandboge (jdstrand)
Changed in apparmor:
status: New → Confirmed
Changed in apparmor (Ubuntu):
status: New → Confirmed
importance: Undecided → Critical
Changed in apparmor:
importance: Undecided → Critical
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Looking in parser/Makefile, we have:
af_names.h: /usr/include/linux/socket.h
        LC_ALL=C sed -n -e '/$(__FILTER)/d' -e "s/^\#define[ \\t]\\+AF_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/#ifndef AF_\\1\\n# define AF_\\1 \\2\\n#endif\\nAA_GEN_NET_ENT(\"\\L\\1\", \\UAF_\\1)\\n/p" $< > $@
        # define local AF_MAX which may differ from that of bits/socket.h
        LC_ALL=C sed -n -e "s/^\#define[ \\t]\\+\\(AF_MAX\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/#define AA_\\1 \\2\n/p" $< >> $@
        cat $@

af_names.h is included in parser_misc. This fails on the new /usr/include/linux/socket.h and also doesn't work with /usr/include/bits/socket.h

description: updated
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apparmor:
assignee: nobody → Jamie Strandboge (jdstrand)
status: Confirmed → Triaged
Changed in apparmor (Ubuntu):
status: Confirmed → Triaged
Changed in apparmor:
status: Triaged → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Ok, bits/socket.h has what we need. Attached is a diff that uses this file instead. We need to use PF_* instead of AF_* due to the format of the file, but we write out AF_*. The Makefile with this diff will generate the same output as the old Makefile in Karmic.

Changed in apparmor (Ubuntu):
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.3.1+1403-0ubuntu29

---------------
apparmor (2.3.1+1403-0ubuntu29) lucid; urgency=low

  * parser/Makefile: generate af_names.h based on bits/socket.h since
    linux/socket.h no longer has what we need (LP: #474751)
  * usr.sbin.dnsmasq: fully address LP: #445818
    - more pidfile refinements
    - allow access to /var/run/dnsmasq
    - allow access to /etc/dnsmasq.d
    - allow dac_override so it can write its pidfile

 -- Jamie Strandboge <email address hidden> Wed, 04 Nov 2009 17:07:23 -0600

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
Jamie Strandboge (jdstrand)
Changed in apparmor:
status: In Progress → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote : Re: [Bug 474751] Re: FTBFS on lucid

On Wed, Nov 04, 2009 at 09:48:42PM -0000, Jamie Strandboge wrote:
> af_names.h is included in parser_misc. This fails on the new
> /usr/include/linux/socket.h and also doesn't work with
> /usr/include/bits/socket.h

/usr/include/bits/socket.h is provided by glibc, not the kernel and
sometimes lags the kernel in terms of what AF/PF names are defined.
I see that in 2.6.32 that the kernel header install scripts
(scripts/headers_install.pl) filters out #if KERNEL defines. Probably
the more correct fix is to depend on the linux-headers package and use
linux/socket.h from there.

--
Steve Beattie
<email address hidden>
http://NxNW.org/~steve/

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

In Lucid, linux-headers is a virtual package that doesn't seem to have a concrete package associated with it (see http://people.canonical.com/~cjwatson/ubuntu-policy/policy.html/ch-relationships.html#s-virtual), which means the linux-headers package is uninstallable on its own. We would then need to do a versioned depends on a particular kernel version (all the more necessary because the socket.h file is located in /usr/src/linux-headers-<kernel version>/include/linux/socket.h, and /usr/include/linux/socket.h is not touched). This has caused problems in the past iirc.

AIUI, the idea behind doing the dynamic generation of this file is to keep the maintenance of it to a minimum. If we Build-Depends on a versioned linux-headers package, we will add a lot of maintenance overhead since we'll need to update the apparmor package every time the kernel has an ABI bump, otherwise it will FTBFS. The other option is a static file, which could conceivably go out of date as easily as the glibc version, or worse stay out of date longer than the glibc version. Am I missing something?

Revision history for this message
Kees Cook (kees) wrote :

I think tracking glibc is fine -- i.e. why allow unconfinement of network
protocols that a userspace application doesn't even know how to use (since
it's missing from glibc).

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.