On 05/16/2018 08:58 PM, Liu,An wrote:
> I wrote the profile for init process which will transit to other profile as
> follows when system starts.
>
>
>
> /system/bin/wpa_supplicant px -> wpa,
>
> /system/bin/dhcpd -> dhcpd,
>
> …
>
>
>
> My purpose is to protect the whole system using AppArmor. Since init is the
> first process to start, there are so many transition rules (> 50) in init
> profile.
>
>
>
> When I load the profile for init using apparmor-parser, I got the following
> error.
>
>
>
> $ Profile init has too many specified profile transitions.
>
>
>
> I think I need to increase following macro (it was 16) in immunix.h to make
> profile handle more transition rules.
>
>
>
> #define AA_EXEC_COUNT 64
>
>
>
> However, after increasing it and recompiling apparmor-parser. apparmor-parser
> got segmentation fault when I load the profile. Any idea what is the correct
> way to increase the limit of total number profile transition?
>
unfortunately the limit is currently determined by how the permissions are
packed. There are currently only 4 bits available hence the limit of 16. There
is work being done to fix this (generally referred to as the extended
permission work) but it is not ready yet, and will require an updated kernel
and userspace.
There are some ways for you to work around this atm you could you a regular px
transition with the profile having a profile attachment, so for your example
profile wpa /system/bin/wpa_supplicant {
...
}
profile dhcpd /system/bin/dhcpd {
...
}
with your init process rules being
/system/bin/wpa_supplicant px,
/system/bin/dhcpd px,
this will let you keep the nice profile names while allowing for file named
based attachment, which doesn't take up an of the very limited transition
entries that the -> transitions takes.
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
