Hello, Am Mittwoch, 9. Januar 2019, 23:48:44 CET schrieb Mikhail Morfikov: > For some time I've been using the following snipped to > create new profiles: > > ------------------------ > include <tunables/global> > > @{exec_path} = /usr/bin/keepassxc > profile keepassxc @{exec_path} { > #include <abstractions/base> > > @{exec_path} mr, > > } > ------------------------ > > The path of course changes as well as the profile name. [...] > When I wanted to use some AppArmor tools, for instance > "aa-complain", I get the following error: > > # aa-complain usr.bin.keepassxc > ERROR: Profile for @{exec_path} exists in /etc/apparmor.d/some-app and > /etc/apparmor.d/some-other-app > > I think the error started to show after upgrading apparmor > package from 2.13.1 to 2.13.2 .
Looking at the changelog, it could be a side effect of "Fix minitools for named profiles" (which needed some bigger changes), but I'll have to look at the code/diff to verify this. > Should this happen? Should I avoid using the code > snipped to make profiles and use regular paths instead? Your profiles are valid, but the tools don't like them ;-) Variable support in the tools is limited, and variables in the profile name or attachment don't get "expanded" to their real values. Therefore the tools think you have multiple profiles for "@{exec_path}" (not /usr/bin/whatever"), and it isn't too surprising that they complain about this. [1] The proper solution / fix is to expand variables and to work on their content, but I'm afraind that isn't something I can do quickly. For now, you could use a workaround - prefix the variable name with the profile name [2], so that you have for example include <tunables/global> @{keepassxc_exec_path} = /usr/bin/keepassxc profile keepassxc @{keepassxc_exec_path} { #include <abstractions/base> @{keepassxc_exec_path} mr, } This should avoid that the tools error out. Regards, Christian Boltz [1] Actually, with profile names, we might have to re-think if having two profiles with different name, but same attachment is really problematic. IMHO it is (because it isn't clear which profile will be used, unless you Px -> $name into it), but we'll at least have to add xattrs into the check. [2] the important point is not to use the same variable name for multiple profiles, and using the profile name as prefix shouldn't be too hard to integrate in your script -- Encryption is only for terrorists and as such not supported :-) [Stefan Seyfried in opensuse-packaging]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor