AppArmor

can only specify one 'type' with 'unix' rules

Bug #1738470 reported by Jamie Strandboge on 2017-12-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	New	Undecided	Unassigned

Bug Description

$ echo 'profile test { unix type={dgram,stream}, }' | apparmor_parser -QTK
...
AppArmor parser error, in stdin line 1: socket rule: invalid socket type '{dgram,stream}'

$ echo 'profile test { unix type=({dgram,stream}), }' | apparmor_parser -QTK
...
AppArmor parser error, in stdin line 1: unknown rule: conditional 'type' only supports a single value

$ echo 'profile test { unix type=(dgram,stream), }' | apparmor_parser -QTK
...
AppArmor parser error, in stdin line 1: unknown rule: conditional 'type' only supports a single value

According to 'man unix', the type may be SOCK_DGRAM, SOCK_STREAM or SOCK_SEQPACKET. The apparmor.d man page has this to say about 'type' for unix rules:

UNIX RULE CONDS = ( TYPE COND | PROTO COND )
TYPE COND = 'type' '=' ( AARE | '(' ( '"' AARE '"' | AARE )+ ')' )

which says to me that my first and second test rules should work, but not the third.

Tags:

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.