Re: [apparmor] [EXTERNAL] Re: policy variables not working as intended

[Ryan Lee]

Hi Ian,

That is a typo in the apparmor.d man page, and the @{HOME} usage in
the example should not be preceded by a backslash. Thanks for pointing
this out.

Ryan

On Fri, Feb 7, 2025 at 10:28 AM Ian Merin <ian.me...@entrust.com> wrote:
>
> That worked!  I swear I tried every possible combination of leading slashes 
> yesterday with no luck, but this format does appear to work for me.
>
>
>
> The reason I did it this way is because the example on 
> https://manpages.ubuntu.com/manpages/focal/man5/apparmor.d.5.html defines
>
>
>
> @{HOME} = /home/*/ /root/
>
> […]
>
> /@{HOME}/.foo_file  rw,
>
>
>
>
>
> Is the example incorrect?
>
>
>
> Thanks,
>
>
>
> Ian
>
>
>
>
>
>
>
> From: Ryan Lee <ryan....@canonical.com>
> Sent: Friday, February 7, 2025 1:06 PM
> To: Ian Merin <ian.me...@entrust.com>
> Cc: apparmor@lists.ubuntu.com
> Subject: [EXTERNAL] Re: [apparmor] policy variables not working as intended
>
>
>
> Hi Ian, Can you check if the rule @{lib}/**. so* mr, works for you? If so, 
> the issue is that your use of the variable creates a rule that starts with 
> two slashes, which currently isn't collapsed down into a single slash. You 
> can check https: //gitlab. com/apparmor/apparmor/-/issues/450
>
> Hi Ian,
>
> Can you check if the rule
>
> @{lib}/**.so* mr,
>
> works for you?
>
> If so, the issue is that your use of the variable creates a rule that starts 
> with two slashes, which currently isn't collapsed down into a single slash. 
> You can check https://gitlab.com/apparmor/apparmor/-/issues/450 for more 
> information.
>
>
>
> Ryan
>
>
>
> On Fri, Feb 7, 2025 at 9:50 AM Ian Merin <ian.me...@entrust.com> wrote:
>
> I’ve looked for documentation on variables to determine if I am using them 
> incorrectly but I cannot find very much information about variables.
>
>
>
> I have created a variable @{lib}=/{,usr/}lib{,64}/
>
>
>
> And created a rule as such
>
>
>
> /@{lib}/**.so* mr,
>
>
>
> This rule appears to do nothing.  If I substitute the value of @{lib} into 
> the rule:
>
>
>
> /{,usr/}lib{,64}/**.so* mr,
>
>
>
> It works exactly as I expect it to.  I have tried every possible combination 
> of slashes for the variable with no luck.  As far as I can tell, on  apparmor 
> and libapparmor v 3.1.2
>
>
>
> Thanks,
>
>
>
> Ian
>
> Any email and files/attachments transmitted with it are intended solely for 
> the use of the individual or entity to whom they are addressed. If this 
> message has been sent to you in error, you must not copy, distribute or 
> disclose of the information it contains. Please notify Entrust immediately 
> and delete the message from your system.