AppArmor

apparmor can't parse 'pix' 'px' with globbing.

Bug #1448421 reported by zhang.lei on 2015-04-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	New	Undecided	Unassigned

Bug Description

apparmor_parser can't parse '/** px' '/** pix', but can parse '/** ix', why? is it a issue?

linux-l5kg:~/apparmor/z # cat /etc/SuSE-release
openSUSE 13.2 (x86_64)
VERSION = 13.2
CODENAME = Harlequin
# /etc/SuSE-release is deprecated and will be removed in the future, use /etc/os-release instead
linux-l5kg:~/apparmor/z # apparmor_parser -h
AppArmor parser version 2.9.0
Copyright (C) 1999-2008 Novell Inc.
Copyright 2009-2012 Canonical Ltd.

linux-l5kg:~/apparmor/z # cat /etc/apparmor.d/touch.aa
# Last Modified: Tue Apr 14 17:49:40 2015
#include <tunables/global>

/root/apparmor/z/touch {#flags=(complain) {
#include <abstractions/base>
/** pix,
}

linux-l5kg:~/apparmor/z # apparmor_parser -r /etc/apparmor.d/touch.aa
profile has merged rule with conflicting x modifiers
ERROR processing regexs for profile /root/apparmor/z/touch, failed to load

Tags:

Revision history for this message

Christian Boltz (cboltz) wrote on 2015-04-26:

Possible explanation: abstractions/base contains some mrix rules for files in /lib*/, /opt/ and /home/

Nevertheless, the more specific rules should "win" over /** IMHO ;-)

tags:

added: aa-parser

Revision history for this message

zhang.lei (6566230-b) wrote on 2015-04-27:

yes, i have confirmed it, thanks.

Changed in apparmor:
status:	New → Invalid

Revision history for this message

Christian Boltz (cboltz) wrote on 2015-04-27:

So we know what happens, but it's still a valid bug IMHO ;-)

Changed in apparmor:
status:	Invalid → New

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.