apparmor-parse cannot parse profile with stacking //&
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Confirmed
|
Undecided
|
John Johansen |
Bug Description
I am experimenting with the new profile stacking feature of AppArmor on Ubuntu 16.10.
However, when trying the load a profile with stacking ("//&" ), the apparmor-parser will report the following erros:
AppArmor parser error for /etc/apparmor.
The system is Ubuntu 16.10 Server edition. I am trying to confine a test program at /root/test/shell. The profile looks like the following:
#include <tunables/global>
/root/test/shell {
#include <abstractions/base>
/bin/touch ix,
/root/test/read px -> readtest1 //& readtest2,
/root/test/shell mr,
profile readtest1 {
#include <abstractions/base>
/root/
/root/test/read mr,
}
profile readtest2 {
#include <abstractions/base>
/root/
/root/test/read mr,
}
}
If the stacking works, when the /root/test/shell execs /root/test/read, it should not be able to read either file1 or file2.
I am not sure if I am using the stacking in the wrong way, or there is a bug in userspace support for stacking.
Yuqiong Sun,
the parser is sensitive to white space. If your profile has white space in the name you will need to use quotes around it
/root/test/read px -> "readtest1 //& readtest2",
otherwise you will need to remove the white space and specify it as
/root/test/read px -> readtest1/ /&readtest2,
ideally the parser would properly handle white space in this situation and properly parse this but at the moment it doesn't. If this fixes your problem I will mark this bug as a wish list feature. If not please let us know so we can further debug the problem.