Hello, Am Sonntag, 21. Oktober 2018, 09:29:09 CEST schrieb intrigeri: > With 2.13.1: > > # aa-complain thunderbird > Setting /usr/bin/thunderbird to complain mode. > > ERROR: /etc/apparmor.d/usr.bin.thunderbird doesn't contain a valid > profile for /usr/bin/thunderbird (syntax error?) > > … and the profile is not set to complain mode.
I had a look at the profile in apparmor-profiles/ubuntu/18.10. Vincas found a new, creative way to confuse aa-complain ;-) @{thunderbird_executable} = /usr/lib/thunderbird/thunderbird{,-bin} # ... profile thunderbird @{thunderbird_executable} { The tools currently don't expand variables when matching the profile name, therefore it's not surprising that the profile isn't found. Additionally, checking the profile name "thunderbird" will also fail because aa-complain first does a "which thunderbird" and then checks with the full path (tools.py get_next_to_profile()). As usual if I do some tests, I found more issues: - the attachment won't be checked if a profile has a name (so using a variable currently doesn't matter ;-) - aa-complain first does a "which thunderbird" and then checks with the full path, so the profile name also won't match - "thunderbird" != "/usr/bin/thunderbird" - profile names with alternations (without attachment specification) will also not match because aa.py get_profile_filename() doesn't use AARE Unfortunately fixing that will need some bigger changes - I'll need to replace the existing_profiles dict with something better before I can even start to work on adding AARE support etc. Well, actually that "something better" will probably handle AARE internally, but I'll still need to adjust all places that use existing_profiles to use the "something better" ;-) Unfortunately "bigger changes" also means that backporting might be risky :-( - but that still sounds better than keeping all the bugs mentioned above. Maybe (additionally) matching the aa-complain parameter against the profile name would be an easy option/workaround, but I'm undecided if this is a good idea because it could also cause false positives - opinions? Or to ask the other way round - assuming you have profile foo /bin/bar { ... } should aa-complain foo find that profile? > However, "aa-complain /etc/apparmor.d/usr.bin.thunderbird" works just > fine: it sets both the thunderbird profile and its child gpg profile > to complain mode :) Right. Currently this way works much better than giving the executable as parameter. > I find this surprising given aa-complain(8) does > not mention this is possible at all. Indeed, nice catch ;-) Can you please open a merge request to update the manpage? (probably also affects aa-enforce, aa-audit and aa-disable) While on it, please also adjust the --help of these tools ;-) Regards, Christian Boltz -- I fear that we'll get a shouting match - "my fonts look ugly"; "no, they don't!"; "yes, they do!" :) [Federico Mena Quintero in https://bugzilla.novell.com/show_bug.cgi?id=220814]
signature.asc
Description: This is a digitally signed message part.