AppArmor

syntax errors when specifying px rules with exec transitions that have '.' in the name

Bug #1696552 reported by Jamie Strandboge on 2017-06-07

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	New	Undecided	Unassigned

Bug Description

$ echo 'profile test { /foo/** px -> snap.foo.bar//&baz }' | apparmor_parser -QTK
...
AppArmor parser error, in stdin line 1: Found unexpected character: '.'

$ echo 'profile test { /foo/** px -> baz//&snap.foo.bar }' | apparmor_parser -QTK
AppArmor parser error, in stdin line 1: syntax error, unexpected TOK_ID, expecting TOK_END_OF_RULE

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2018-01-26:

I found myself wanting to do this again and tried this:

@{OTHER_PROFILE}="snap.foo.other"
profile snap.foo.bar {
/some/path Px -> @{OTHER_PROFILE},
}

This indirection allows the profile to compile but unfortunately can't transition to it:

audit: type=1400 audit(1517000294.082:10903): apparmor="DENIED" operation="exec" info="profile transition not found" error=-13 profile="snap.foo.bar" name="/some/path" pid=9534 comm="strace" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.