Hello,
Am Mittwoch, 9. Januar 2019, 23:48:44 CET schrieb Mikhail Morfikov:
> For some time I've been using the following snipped to
> create new profiles:
>
> ------------------------
> include <tunables/global>
>
> @{exec_path} = /usr/bin/keepassxc
> profile keepassxc @{exec_path} {
> #include <abstractions/base>
>
> @{exec_path} mr,
>
> }
> ------------------------
>
> The path of course changes as well as the profile name.
[...]
> When I wanted to use some AppArmor tools, for instance
> "aa-complain", I get the following error:
>
> # aa-complain usr.bin.keepassxc
> ERROR: Profile for @{exec_path} exists in /etc/apparmor.d/some-app and
> /etc/apparmor.d/some-other-app
>
> I think the error started to show after upgrading apparmor
> package from 2.13.1 to 2.13.2 .
Looking at the changelog, it could be a side effect of "Fix minitools
for named profiles" (which needed some bigger changes), but I'll have to
look at the code/diff to verify this.
> Should this happen? Should I avoid using the code
> snipped to make profiles and use regular paths instead?
Your profiles are valid, but the tools don't like them ;-)
Variable support in the tools is limited, and variables in the profile
name or attachment don't get "expanded" to their real values. Therefore
the tools think you have multiple profiles for "@{exec_path}" (not
/usr/bin/whatever"), and it isn't too surprising that they complain
about this. [1]
The proper solution / fix is to expand variables and to work on their
content, but I'm afraind that isn't something I can do quickly.
For now, you could use a workaround - prefix the variable name with the
profile name [2], so that you have for example
include <tunables/global>
@{keepassxc_exec_path} = /usr/bin/keepassxc
profile keepassxc @{keepassxc_exec_path} {
#include <abstractions/base>
@{keepassxc_exec_path} mr,
}
This should avoid that the tools error out.
Regards,
Christian Boltz
[1] Actually, with profile names, we might have to re-think if having
two profiles with different name, but same attachment is really
problematic. IMHO it is (because it isn't clear which profile will
be used, unless you Px -> $name into it), but we'll at least have to
add xattrs into the check.
[2] the important point is not to use the same variable name for
multiple profiles, and using the profile name as prefix shouldn't be
too hard to integrate in your script
--
Encryption is only for terrorists and as such not supported :-)
[Stefan Seyfried in opensuse-packaging]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
