several missing include local/foo

Bug #1649431 reported by Jon W on 2016-12-13
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
AppArmor
Undecided
Unassigned
ippusbxd (Ubuntu)
Low
Unassigned
snap-confine (Ubuntu)
Low
Unassigned
webbrowser-app (Ubuntu)
Low
Unassigned

Bug Description

It is surprising that /etc/apparmor.d/local/usr.bin.webbrowser.app exists, but is impotent because no other file includes it.

There are several such files on my 16.04 system:

$ cd /etc/apparmor.d && for i in local/*; do find . -type f | xargs sudo grep "include.*$i" >/dev/null || echo "$i is not included anywhere"; done | grep -v README
local/usr.bin.ubuntu-core-launcher is not included anywhere
local/usr.bin.webbrowser-app is not included anywhere
local/usr.lib.snapd.snap-confine is not included anywhere
local/usr.sbin.ippusbxd is not included anywhere

The impact of this bug is that it is not possible to add site-specific rules to some AppArmor profiles in an Ubuntu system. Note that this should not be a problem with profiles shipped in the apparmor-profiles packages (since the upstream apparmor build system checks for the existence of such include rules) and likely only affects other packages which ship their own AppArmor profiles.

Tyler Hicks (tyhicks) wrote :

I'm not going to add a task for ubuntu-core-launcher because that package was replaced by snap-confine.

I'm marking the apparmor task as Invalid because this bug only applies to profiles that are not shipped by the apparmor or apparmor-profiles packages. The upstream apparmor project has an install-time check that verifies that all of the profiles have an "#include <local/profile.name>" rule.

Changed in ippusbxd (Ubuntu):
importance: Undecided → Low
status: New → Confirmed
Changed in snap-confine (Ubuntu):
status: New → Confirmed
importance: Undecided → Low
Changed in webbrowser-app (Ubuntu):
status: New → Confirmed
importance: Undecided → Low
Changed in apparmor:
status: New → Invalid
Tyler Hicks (tyhicks) on 2016-12-13
description: updated
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers