[pkg-apparmor] Bug#1104268: aa-logprof: [Python] re.PatternError: unbalanced parenthesis at position 51

John Scott jscott at posteo.net
Mon Apr 28 01:33:52 BST 2025 

Package: apparmor-utils, python3-apparmor
Version: 4.1.0-1
Severity: normal

Hi,

While doing regular maintenance on my VPS running Trixie, I thought I'd revisit the prospect of creating AppArmor profiles for my services, starting with the Prosody XMPP server. I created a boilerplate empty profile like this, restarted Prosody, and after aa-logprof reported it observed nothing, I realized that's because I stopped auditd by hand earlier for an unrelated reason. So I started auditd to get the complaints, restarted Prosody, and ran aa-logprof after a few moments.
+++++ /etc/apparmor.d/usr.bin.prosody
	# vim:syntax=apparmor
	# AppArmor policy for Prosody
	# Author: John Scott
	
	#include <tunables/global>
	
	/usr/bin/prosody flags=(complain) {
		#include <abstractions/base>
	}
-----

What makes this interesting is that Prosody is written in Lua, but fortunately the /usr/bin/prosody binary contains the event loop that runs everything, so I figured it'd still be a good candidate for a simple AppArmor profile. So I ran aa-logprof and my session went like this:

/etc/apparmor.d$ sudo aa-logprof
Updating AppArmor profiles in /etc/apparmor.d.
Reading log entries from /var/log/audit/audit.log.

Profile:  /usr/bin/prosody
Execute:  /usr/bin/lua5.4
Severity: unknown

In(h)erit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / Abo(r)t / (I)gnore / (F)inish

It was here that I decided "In(h)erit" was probably what I wanted, and I pressed the 'h' key. Then I was shown this:

Complain-mode changes:
Traceback (most recent call last):
  File "/usr/sbin/aa-logprof", line 61, in <module>
    apparmor.do_logprof_pass(logmark, out_dir=args.output_dir)
    ~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1506, in do_logprof_pass
    ask_the_questions(log_dict)
    ~~~~~~~~~~~~~~~~~^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1103, in ask_the_questions
    ask_conflict_mode(aa[profile][hat], log_dict[aamode][full_profile])
    ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1382, in ask_conflict_mode
    conflictingrules = merge_profile['file'].get_exec_conflict_rules(oldrule)
  File "/usr/lib/python3/dist-packages/apparmor/rule/file.py", line 595, in get_exec_conflict_rules
    execrules = self.get_exec_rules_for_path(oldrule.path)
  File "/usr/lib/python3/dist-packages/apparmor/rule/file.py", line 580, in get_exec_rules_for_path
    for rule in self.get_rules_for_path(path).rules:
                ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^
  File "/usr/lib/python3/dist-packages/apparmor/rule/file.py", line 515, in get_rules_for_path
    if (rule.all_paths or rule.path.match(path)) and ((not deny) or rule.deny) and ((not audit) or rule.audit):
                          ~~~~~~~~~~~~~~~^^^^^^
  File "/usr/lib/python3/dist-packages/apparmor/aare.py", line 90, in match
    self._regex_compiled = re.compile(convert_regexp(self.regex))
                           ~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/re/__init__.py", line 289, in compile
    return _compile(pattern, flags)
  File "/usr/lib/python3.13/re/__init__.py", line 350, in _compile
    p = _compiler.compile(pattern, flags)
  File "/usr/lib/python3.13/re/_compiler.py", line 748, in compile
    p = _parser.parse(p, flags)
  File "/usr/lib/python3.13/re/_parser.py", line 985, in parse
    raise source.error("unbalanced parenthesis")
re.PatternError: unbalanced parenthesis at position 51

An unexpected error occurred!

Please consider reporting a bug at https://gitlab.com/apparmor/apparmor/-/issues

If one looks at AppArmor's aare.py you'll find a concession from the author that the regular expression used for input validation is a kludge that may not handle corner cases, and this got me thinking if the pathnames involved here might be the culprit. aa-status shows
> 1 processes [sic] are in complain mode.
> 	/usr/bin/lua5.4 (23859) /usr/bin/prosody//null-/usr/bin/lua5.4

That latter path is hideous, so maybe this is where the problem lies (maybe with the hyphen, period, or consecutive slashes being interpreted specially). Unfortunately I can't wrap my head around Python so I'll have to take a break from detective work here. Maybe if Python 3.13 was introduced recent-ish (I saw AppArmor had an RC bug to adapt to that migration), but it's hard to imagine that affecting the matching of parentheses for example.

Let me know if you're unable to reproduce it.

Thanks,
John
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20250428/404203ae/attachment.sig>

More information about the pkg-apparmor-team mailing list