On 10/01/2017 08:42 AM, Vincas Dargis wrote: > Hi, > > I have reported bug [0] that `usr.bin.totem` containing `Pux` rule produces > `aa-logprof` error: > > ``` > ERROR: permission contains unknown character(s) Pux > ``` > > Though `apparmor_parser` itself does not emit any errors or warnings. >
it is valid in that the parser accepts it but is slightly confusing in that character case (sadly) is used to indicate whether environment scrubbing is used, and in this situation you have one upper and one lower case qualifier on the x making the intention ambiguous. Pux is treated by the parser as being equivalent to PUx There was a decision made a few years ago to deprecate the mixed case version to avoid ambiguity in interpreting the rule. > I can't find `Pux` in `man apparmor.d`, though it's mentioned in AppArmor > wiki [1]. > apparmor.d was edited to only contain the preferred version of PUx and pux > So it's kinda confusing. Maybe it's simply `aa-logprof` bug and a man page is > missing an update? > I believe it was a deliberate decision by the author to not support the confusing syntax of mixed characters. The parser's support is much older and has not been patched to conform with the above mentioned decision, ideally it should be reporting that the syntax is deprecated > I managed to grep this mode only in that `usr.bin.totem` profile, which was > modified recently, so it could > slip through... > It is possible for it to slip through if the profile never goes through the logprof/genprof toools. There are several people who just use a text editor and a parser when generating rules > [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877255 > [1] > http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Execute_rules > -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
