parser error with 'deny change_profile'
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Triaged
|
Medium
|
Unassigned |
Bug Description
$ echo 'profile foo { deny change_profile -> unconfined, }' | apparmor_parser -p
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
AppArmor parser error, in stdin line 1: syntax error, unexpected TOK_CHANGE_PROFILE, expecting TOK_ID or TOK_MODE or TOK_SET_VAR
profile foo { deny change_profile[1]
$ echo 'profile foo { deny change_profile -> /**, }' | apparmor_parser -p
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
AppArmor parser error, in stdin line 1: syntax error, unexpected TOK_CHANGE_PROFILE, expecting TOK_ID or TOK_MODE or TOK_SET_VAR
profile foo { deny change_profile[1]
$ echo 'profile foo { deny change_profile -> {unconfined,/**}, }' | apparmor_parser -p
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
AppArmor parser error, in stdin line 1: syntax error, unexpected TOK_CHANGE_PROFILE, expecting TOK_ID or TOK_MODE or TOK_SET_VAR
profile foo { deny change_profile[1]
AppArmor 2.10 has fixed the parsing issue; however, the policy generated does not actually deny the change_profile.