Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#67558 - [firejail] AppArmor profile not parsing by default

Attached to Project: Community Packages
Opened by David Parrish (dmp1ce) - Wednesday, 12 August 2020, 03:36 GMT
Last edited by Sergej Pupykin (sergej) - Tuesday, 18 August 2020, 17:21 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Sergej Pupykin (sergej)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 4
Private No

Details

Description:

Firejail Apparmor profile will not parse. I narrowed it down to the line `#include <local/firejail-default>` of `/etc/apparmor.d/firejail.default`.

Additional info:

- apparmor 2.13.4-6
- firejail 0.9.62.2-1

```
$ systemctl status apparmor.service
● apparmor.service - Load AppArmor profiles
Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue 2020-08-11 22:52:42 EDT; 37min ago
Process: 7159 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=1/FAILURE)
Main PID: 7159 (code=exited, status=1/FAILURE)

Aug 11 22:52:39 bar apparmor.systemd[7159]: Restarting AppArmor
Aug 11 22:52:39 bar apparmor.systemd[7159]: Reloading AppArmor profiles
Aug 11 22:52:39 bar apparmor.systemd[7212]: AppArmor parser error for /etc/apparmor.d/firejail-default in /etc/apparmor.d/firejail-default at line 155: Could not open 'local/firejail-default'
Aug 11 22:52:39 bar apparmor.systemd[7159]: Error: /etc/apparmor.d/firejail-default failed to load
Aug 11 22:52:42 bar systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Aug 11 22:52:42 bar systemd[1]: apparmor.service: Failed with result 'exit-code'.
Aug 11 22:52:42 bar systemd[1]: Failed to start Load AppArmor profiles.
Warning: journal has been rotated since unit was started, output may be incomplete.
```

```
$ sudo apparmor_parser -r /etc/apparmor.d/firejail-default
AppArmor parser error for /etc/apparmor.d/firejail-default in /etc/apparmor.d/firejail-default at line 155: Could not open 'local/firejail-default'
```

I didn't see any upstream issues.

Steps to reproduce:

1. sudo pacman -S apparmor firejail
2. Notice the firejail profile will not parse with `sudo apparmor_parser -r /etc/apparmor.d/firejail-default`
3. Enable apparmor.service and notice the service will fail
This task depends upon

Closed by  Sergej Pupykin (sergej)
Tuesday, 18 August 2020, 17:21 GMT
Reason for closing:  Upstream
Comment by (IrvineHimself) (IrvineHimself) - Wednesday, 12 August 2020, 04:25 GMT
I can confirm I have the same problem:

******
journalctl --boot=-1 | grep -i "apparmor.*error"
Aug 12 03:36:47 mine apparmor.systemd[302]: AppArmor parser error for /etc/apparmor.d/firejail-default in /etc/apparmor.d/firejail-default at line 155: Could not open 'local/firejail-default'
Aug 12 03:36:47 mine apparmor.systemd[227]: Error: /etc/apparmor.d/firejail-default failed to load
*******

re-installing firejail 0.9.62-1 fixes the problem
Irvine
Comment by mark (qinohe) - Wednesday, 12 August 2020, 17:41 GMT
Same problem, @IrvineHimself: in my case reinstalling don't resolve and this issue persists.
Comment by (IrvineHimself) (IrvineHimself) - Wednesday, 12 August 2020, 18:19 GMT
Sorry bad phrasing, regress to 0.9.62-1 from 0.9.62.2-1 is more accurate.

ie install old firejail 0.9.62-1 from the package cache.

Irvine
Comment by mark (qinohe) - Wednesday, 12 August 2020, 18:47 GMT
Ah, yes, i didn't notice it, all clear now;)

Thanks, mark
Comment by Adler Jonas Gross (Betal) - Wednesday, 12 August 2020, 20:50 GMT
This is a upstream issue. I opened a bug report https://github.com/netblue30/firejail/issues/3585

For some reason the Makefile.in is missing to install the firejail-local file.
Also this firejail-local is renamed to firejail-default in man pages and in the #include from the /etc/apparmor.d/firejail-default (line 155).
This will cause 'sudo apparmor_parser -r /etc/apparmor.d/firejail-default' to fail:
1) there is no "local/" firejail-default, even in the source, it is named firejail-local.
2) the Makefile.in don't install any firejail profile in apparmor.d/local/.

We have some possible workarounds, the easier is to create a blank '/etc/apparmor.d/local/firejail-default', given our package already want this file:
sudo touch /etc/apparmor.d/local/firejail-default


To be able to create a package without manual intervention (like creating the blank /etc/apparmor.d/local/firejail-default), I made the apparmor.patch (change the #include filename and add the 'missing' install line in Makefile.in) and the pkgbuild.patch (to include the apparmor.patch in the PKGBUILD).
Tested it with 'makechrootpkg -c -r $CHROOT -- --skippgpcheck'
   apparmor.patch (1.1 KiB)
   pkgbuild.patch (0.9 KiB)
Comment by mark (qinohe) - Wednesday, 12 August 2020, 21:59 GMT
@Adler Jonas Gross, nice find, I made the PKGBUILD use the github source, it compiled just fine.
After installing apparmor works again with firejail.

Thanks, mark
Comment by T.J. Townsend (blakkheim) - Thursday, 13 August 2020, 17:44 GMT
Upstream says a new release will be out within a week to fix it.

Loading...