接前一篇文章：AppArmor测试中aa-genprof提示错误的问题及解决（1）

在上一篇文章中，解决了aa-genprof找不到（Python）模块的问题。在解决了该问题之后运行aa-genprof test_app时出现了以下错误：

$ aa-genprof test_app
Updating AppArmor profiles in /usr/local/etc/apparmor.d.

WARNING: Error reading file /usr/local/etc/apparmor.d/home.penghao.AppArmor.sample_code.test_app, skipping.
    [Errno 13] Permission denied: '/usr/local/etc/apparmor.d/home.penghao.AppArmor.sample_code.test_app'
Traceback (most recent call last):
  File "/usr/local/sbin/aa-genprof", line 117, in <module>
    apparmor.helpers[program] = apparmor.get_profile_flags(profile_filename, program)
  File "/usr/local/lib/python3.10/site-packages/apparmor/aa.py", line 616, in get_profile_flags
    with open_file_read(filename) as f_in:
  File "/usr/local/lib/python3.10/site-packages/apparmor/common.py", line 188, in open_file_read
    return open_file_anymode('r', path, encoding)
  File "/usr/local/lib/python3.10/site-packages/apparmor/common.py", line 202, in open_file_anymode
    return open(path, mode, encoding=encoding, errors='surrogateescape')
PermissionError: [Errno 13] Permission denied: '/usr/local/etc/apparmor.d/home.penghao.AppArmor.sample_code.test_app'


An unexpected error occurred!

For details, see /tmp/apparmor-bugreport-k1h4p8aa.txt
Please consider reporting a bug at https://gitlab.com/apparmor/apparmor/-/issues
and attach this file.

很明显这是权限问题，可以有两种解决方法：切换到root用户或者在命令前加sudo。下边一个一个来尝试。

方法1. 切换到root用户

切换到root用户，在root用户下再次执行aa-genprof命令进行测试，结果如下：

root [ /home/penghao/AppArmor/sample_code ]# /usr/local/sbin/aa-genprof test_app
Traceback (most recent call last):
  File "/usr/local/sbin/aa-genprof", line 23, in <module>
    import apparmor.aa as apparmor
ModuleNotFoundError: No module named 'apparmor'

再打开/usr/local/sbin/aa-genprof中的打印语句，看一下root用户的sys.path，如下：

root [ /home/penghao/AppArmor/sample_code ]# /usr/local/sbin/aa-genprof test_app
['/usr/local/sbin', '/usr/lib/python310.zip', '/usr/lib/python3.10', '/usr/lib/python3.10/lib-dynload', '/usr/lib/python3.10/site-packages', '/usr/lib/python3.10/site-packages/Mako-1.1.6-py3.10.egg', '/usr/lib/python3.10/site-packages/pycairo-1.20.1-py3.10-linux-x86_64.egg']
Traceback (most recent call last):
  File "/usr/local/sbin/aa-genprof", line 23, in <module>
    import apparmor.aa as apparmor
ModuleNotFoundError: No module named 'apparmor'

实际上与前一篇文章中普通用户下的一致。在root用户下同样使用export语句添加环境变量PYTHONPATH，如下：

root [ /home/penghao/AppArmor/sample_code ]# export PYTHONPATH=/usr/local/lib/python3.10/site-packages
root [ /home/penghao/AppArmor/sample_code ]# echo $PYTHONPATH
/usr/local/lib/python3.10/site-packages

再次执行命令，结果如下：

root [ /home/penghao/AppArmor/sample_code ]# /usr/local/sbin/aa-genprof test_app
['/usr/local/sbin', '/usr/local/lib/python3.10/site-packages', '/usr/lib/python310.zip', '/usr/lib/python3.10', '/usr/lib/python3.10/lib-dynload', '/usr/lib/python3.10/site-packages', '/usr/lib/python3.10/site-packages/Mako-1.1.6-py3.10.egg', '/usr/lib/python3.10/site-packages/pycairo-1.20.1-py3.10-linux-x86_64.egg']
Updating AppArmor profiles in /usr/local/etc/apparmor.d.

Before you begin, you may wish to check if a
profile already exists for the application you
wish to confine. See the following wiki page for
more information:
https://gitlab.com/apparmor/apparmor/wikis/Profiles

Profiling: /home/penghao/AppArmor/sample_code/test_app

Please start the application to be profiled in
another window and exercise its functionality now.

Once completed, select the "Scan" option below in 
order to scan the system logs for AppArmor events. 

For each AppArmor event, you will be given the 
opportunity to choose whether the access should be 
allowed or denied.

[(S)can system log for AppArmor events] / (F)inish

可以看到，aa-genprof已经能够正常工作了。

方法2. 命令前加sudo

回退到在普通用户下export了PYTHONPATH环境变量之后执行aa-genprof的情形。再回顾一下之前的结果：

$ export PYTHONPATH=/usr/local/lib/python3.10/site-packages
 echo $PYTHONPATH
/usr/local/lib/python3.10/site-packages

$ aa-genprof test_app
['/usr/local/sbin', '/usr/local/lib/python3.10/site-packages', '/usr/lib/python310.zip', '/usr/lib/python3.10', '/usr/lib/python3.10/lib-dynload', '/usr/lib/python3.10/site-packages', '/usr/lib/python3.10/site-packages/Mako-1.1.6-py3.10.egg', '/usr/lib/python3.10/site-packages/pycairo-1.20.1-py3.10-linux-x86_64.egg']
Updating AppArmor profiles in /usr/local/etc/apparmor.d.

WARNING: Error reading file /usr/local/etc/apparmor.d/home.penghao.AppArmor.sample_code.test_app, skipping.
    [Errno 13] Permission denied: '/usr/local/etc/apparmor.d/home.penghao.AppArmor.sample_code.test_app'
Traceback (most recent call last):
  File "/usr/local/sbin/aa-genprof", line 117, in <module>
    apparmor.helpers[program] = apparmor.get_profile_flags(profile_filename, program)
  File "/usr/local/lib/python3.10/site-packages/apparmor/aa.py", line 616, in get_profile_flags
    with open_file_read(filename) as f_in:
  File "/usr/local/lib/python3.10/site-packages/apparmor/common.py", line 188, in open_file_read
    return open_file_anymode('r', path, encoding)
  File "/usr/local/lib/python3.10/site-packages/apparmor/common.py", line 202, in open_file_anymode
    return open(path, mode, encoding=encoding, errors='surrogateescape')
PermissionError: [Errno 13] Permission denied: '/usr/local/etc/apparmor.d/home.penghao.AppArmor.sample_code.test_app'


An unexpected error occurred!

For details, see /tmp/apparmor-bugreport-a10fg613.txt
Please consider reporting a bug at https://gitlab.com/apparmor/apparmor/-/issues
and attach this file.

在命令前边加上sudo，保证有权限，再次执行，结果如下：

$ sudo aa-genprof test_app
[sudo] penghao 的密码：['/usr/local/sbin', '/usr/lib/python310.zip', '/usr/lib/python3.10', '/usr/lib/python3.10/lib-dynload', '/usr/lib/python3.10/site-packages', '/usr/lib/python3.10/site-packages/Mako-1.1.6-py3.10.egg', '/usr/lib/python3.10/site-packages/pycairo-1.20.1-py3.10-linux-x86_64.egg']
Traceback (most recent call last):
  File "/usr/local/sbin/aa-genprof", line 23, in <module>
    import apparmor.aa as apparmor
ModuleNotFoundError: No module named 'apparmor'

又和没有设置PYTHONPATH环境变量之前一样了。为什么会这样？

非常感谢以下博文提供了答案和解决方法：

解决LINUX系统sudo下PYTHONPATH或PATH配置失效的问题-蒲公英云

这里引用其内容：

有时候我们需要使用root权限来执行某些python程序。同时即使我们自己在.bashrc或其它类似的配置文件中定义了PYTHONPATH或者PATH路径的话，也会出现import路径不存在的错误。这是因为在使用sudo模式执行程序的时候，系统会自动重置PATH环境变量。我们可以查看/etc/sudoers文件，如果其中存在如下所示的这行：

Defaults env_reset

则说明sudo模式下会默认重置环境变量。那么为了能够在sudo下继续使用我们定义的环境变量，我们需要删掉上面这行，并添加如下内容即可。注意：/etc/sudoers文件必须在root权限下才能编辑。

Defaults env_keep += "PYTHONPATH"
Defaults env_keep += "Any other env variable you want to keep"

当然如果我们只想在某个特定路径下执行一次代码，则可以在sudo命令中指定环境变量。指定环境变量的格式为ENV=/path/to/env。

sudo PATH=/path/to/your/env python /path/to/your/script.py

根据上文，查看/etc/sudoers文件，内容如下：

## sudoers file.
##
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
##
## See the sudoers man page for the details on how to write a sudoers file.
##

##
## Host alias specification
##
## Groups of machines. These may include host names (optionally with wildcards),
## IP addresses, network numbers or netgroups.
# Host_Alias    WEBSERVERS = www1, www2, www3

##
## User alias specification
##
## Groups of users.  These may consist of user names, uids, Unix groups,
## or netgroups.
# User_Alias    ADMINS = millert, dowdy, mikef

##
## Cmnd alias specification
##
## Groups of commands.  Often used to group related commands together.
# Cmnd_Alias    PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
#                           /usr/bin/pkill, /usr/bin/top
# Cmnd_Alias    REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff

##
## Defaults specification
##
## You may wish to keep some of the following environment variables
## when running commands via sudo.
##
## Locale settings
# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
##
## Run X applications through sudo; HOME is used to find the
## .Xauthority file.  Note that other programs use HOME to find   
## configuration files and this may lead to privilege escalation!
# Defaults env_keep += "HOME"
##
## X11 resource path settings
# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
##
## Desktop path settings
# Defaults env_keep += "QTDIR KDEDIR"
##
## Allow sudo-run commands to inherit the callers' ConsoleKit session
# Defaults env_keep += "XDG_SESSION_COOKIE"
##
## Uncomment to enable special input methods.  Care should be taken as
## this may allow users to subvert the command being run via sudo.
# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
##
## Uncomment to use a hard-coded PATH instead of the user's to find commands
 Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
##
## Uncomment to send mail if the user does not enter the correct password.
# Defaults mail_badpass
##
## Uncomment to enable logging of a command's output, except for
## sudoreplay and reboot.  Use sudoreplay to play back logged sessions.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
# Defaults!/usr/local/bin/sudoreplay !log_output
# Defaults!REBOOT !log_output

##
## Runas alias specification
##

##
## User privilege specification
##
root ALL=(ALL:ALL) ALL

## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL:ALL) ALL

## Same thing without a password
# %wheel ALL=(ALL:ALL) NOPASSWD: ALL

## Uncomment to allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
# Defaults targetpw  # Ask for the password of the target user
# ALL ALL=(ALL:ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'

## Read drop-in files from /etc/sudoers.d
@includedir /etc/sudoers

虽然在/etc/sudoers中没有找到上文所说的“Defaults env_reset”这一行代码，但确实有不少“Defaults env_keep +=”语句。在其中按照上文提示加入如下语句（注意：/etc/sudoers的默认权限为0440，需要修改为0640）：

## Python path settings
Defaults env_keep += "PYTHONPATH"
##

保存退出。

再次执行之前的命令，结果如下：

$ sudo aa-genprof test_app
['/usr/local/sbin', '/usr/local/lib/python3.10/site-packages', '/usr/lib/python310.zip', '/usr/lib/python3.10', '/usr/lib/python3.10/lib-dynload', '/usr/lib/python3.10/site-packages', '/usr/lib/python3.10/site-packages/Mako-1.1.6-py3.10.egg', '/usr/lib/python3.10/site-packages/pycairo-1.20.1-py3.10-linux-x86_64.egg']
Updating AppArmor profiles in /usr/local/etc/apparmor.d.

Before you begin, you may wish to check if a
profile already exists for the application you
wish to confine. See the following wiki page for
more information:
https://gitlab.com/apparmor/apparmor/wikis/Profiles

Profiling: /home/penghao/AppArmor/sample_code/test_app

Please start the application to be profiled in
another window and exercise its functionality now.

Once completed, select the "Scan" option below in 
order to scan the system logs for AppArmor events. 

For each AppArmor event, you will be given the 
opportunity to choose whether the access should be 
allowed or denied.

[(S)can system log for AppArmor events] / (F)inish

可以看到，aa-genprof也已经正常工作了。