Page MenuHomeSolus
Create Task
Maniphest T8691

Apparmor doing a doodie in the bed with python 3.7 (incompatibility)
Closed, ResolvedPublic
Actions

Description

apparmor tests, usysconf, and snaps are failing when rebuilding apparmor against python 3.7

make check -C parser tests are failing with (all tests fail with the same error)

======================================================================
FAIL: test_profile_newer_rewrites_cache (__main__.AAParserAltCacheTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/build/YPKG/root/apparmor/build/apparmor-2.13.3/parser/tst/testlib.py", line 50, in new_unittest_func
    return unittest_func(self)
  File "./caching.py", line 448, in test_profile_newer_rewrites_cache
    self._generate_cache_file()
  File "./caching.py", line 257, in _generate_cache_file
    self.run_cmd_check(cmd)
  File "/home/build/YPKG/root/apparmor/build/apparmor-2.13.3/parser/tst/testlib.py", line 73, in run_cmd_check
    self.assertEqual(rc, expected_rc, "Got return code %d, expected %d\nCommand run: %s\nOutput: %s" % (rc, expected_rc, (' '.join(command)), report))
AssertionError: 1 != 0 : Got return code 1, expected 0
Command run: ../apparmor_parser --config-file=./parser.conf --base /tmp/aa-caching-u0nkahl3 --skip-kernel-load -M ./features_files/features.all --cache-loc /tmp/aa-caching-u0nkahl3/cache --cache-loc /tmp/aa-caching-u0nkahl3/aa-alt-cachebwg43d16 -q --write-cache -r /tmp/aa-caching-u0nkahl3/sbin.pingy
Output: AppArmor parser error for /tmp/aa-caching-u0nkahl3/sbin.pingy in /tmp/aa-caching-u0nkahl3/suid-abstraction at line 3: Invalid capability setuid.

Forcing the package to build breaks snaps

$ snap run spotify
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks

usysconf is not happy either

 [✗] Compiling and Reloading AppArmor profiles                           failed

A copy of the command output follows:

AppArmor parser error for /etc/apparmor.d/bin.ping in /etc/apparmor.d/abstractions/nis at line 14: Invalid capability net_bind_service.
failed to update AppArmor profile, reason: exit status 1

Making this task to get more eyes on the issue. My knowledge of apparmor and snaps is very thin.

Revisions and Commits

R3611 apparmor
R3611:cefdfb794ffe Rebuild for Python 3.7 and fix build system. Resolves T8691

Event Timeline

joebonrichie triaged this task as Unbreak Now! priority.Feb 6 2020, 10:31 AM
joebonrichie created this task.
joebonrichie moved this task from Backlog to Package Fixes on the Software board.
joebonrichie updated the task description. (Show Details)
DataDrake added a subscriber: DataDrake.Feb 6 2020, 1:41 PM

As an FYI: updating swig did not fix this

I am looking into the possibility that this is kernel-related. It seems to be limited to capabilities which has me suspicious.

DataDrake added a comment.Feb 6 2020, 2:17 PM

Ok, so I'm getting closer to a fix. It looks like cap_names.h is auto-generated from linux/capabilities.h and during our build cap_names.h is empty. I think I have a Makefile patch for this. Testing now.

DataDrake added a comment.Feb 6 2020, 2:21 PM

Now I have a few failing network tests, but that's way better.

DataDrake added a comment.Feb 6 2020, 2:40 PM

https://gitlab.com/apparmor/apparmor/issues/74

DataDrake closed this task as Resolved by committing R3611:cefdfb794ffe: Rebuild for Python 3.7 and fix build system. Resolves T8691.Feb 6 2020, 2:41 PM
DataDrake claimed this task.
DataDrake added a commit: R3611:cefdfb794ffe: Rebuild for Python 3.7 and fix build system. Resolves T8691.
Copyright © 2015-2021 Solus Project. The Solus logo is Copyright © 2016-2021 Solus Project. All Rights Reserved.