misleading name= for profile load, replacement, messages, for nested profiles
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned |
Bug Description
There's misleading name reported for loading nested profiles:
#include <tunables/global>
/does/not/exist {
#include <abstractions/base>
/bin/true rCx,
profile /bin/true {
#include <abstractions/base>
/bin/true m,
}
}
This is in both apparmor_parser and in the kernel interface:
$ sudo apparmor_parser --verbose --replace /etc/apparmor.
Replacement succeeded for "/bin/true".
Replacement succeeded for "/does/not/exist".
I expect "/does/
type=AVC msg=audit(
type=SYSCALL msg=audit(
type=AVC msg=audit(
type=SYSCALL msg=audit(
It is also incorrect without auditd running, originally this was discovered by maslen: http://
Linux hunt 3.13.0-57-generic #95-Ubuntu SMP Fri Jun 19 09:28:15 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
2.8.95~
Thanks
tags: | added: aa-kernel aa-parser |
The correct profiles are loaded:
$ sudo grep exist /sys/kernel/ security/ apparmor/ profiles exist// /bin/true (enforce)
/does/not/exist (enforce)
/does/not/
This is a cosmetic issue, though potentially very confusing.