syntax errors when specifying px rules with exec transitions that have '.' in the name

Bug #1696552 reported by Jamie Strandboge
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Undecided
Unassigned

Bug Description

$ echo 'profile test { /foo/** px -> snap.foo.bar//&baz }' | apparmor_parser -QTK
...
AppArmor parser error, in stdin line 1: Found unexpected character: '.'

$ echo 'profile test { /foo/** px -> baz//&snap.foo.bar }' | apparmor_parser -QTK
AppArmor parser error, in stdin line 1: syntax error, unexpected TOK_ID, expecting TOK_END_OF_RULE

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I found myself wanting to do this again and tried this:

@{OTHER_PROFILE}="snap.foo.other"
profile snap.foo.bar {
  /some/path Px -> @{OTHER_PROFILE},
}

This indirection allows the profile to compile but unfortunately can't transition to it:

audit: type=1400 audit(1517000294.082:10903): apparmor="DENIED" operation="exec" info="profile transition not found" error=-13 profile="snap.foo.bar" name="/some/path" pid=9534 comm="strace" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers