Public bug reported:
I am experimenting with the new profile stacking feature of AppArmor on
Ubuntu 16.10.
However, when trying the load a profile with stacking ("//&" ), the
apparmor-parser will report the following erros:
AppArmor parser error for /etc/apparmor.d/root.test.shell in
/etc/apparmor.d/root.test.shell at line 8: syntax error, unexpected
TOK_ID, expecting TOK_END_OF_RULE.
The system is Ubuntu 16.10 Server edition. I am trying to confine a
test program at /root/test/shell. The profile looks like the following:
#include
/root/test/shell {
#include
/bin/touch ix,
/root/test/read px -> readtest1 //& readtest2,
/root/test/shell mr,
profile readtest1 {
#include
/root/test/file1 r,
/root/test/read mr,
}
profile readtest2 {
#include
/root/test/file2 r,
/root/test/read mr,
}
}
If the stacking works, when the /root/test/shell execs /root/test/read,
it should not be able to read either file1 or file2.
I am not sure if I am using the stacking in the wrong way, or there is a
bug in userspace support for stacking.
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1639660
Title:
apparmor-parse cannot parse profile with stacking //&
Status in apparmor package in Ubuntu:
New
Bug description:
I am experimenting with the new profile stacking feature of AppArmor
on Ubuntu 16.10.
However, when trying the load a profile with stacking ("//&" ), the
apparmor-parser will report the following erros:
AppArmor parser error for /etc/apparmor.d/root.test.shell in
/etc/apparmor.d/root.test.shell at line 8: syntax error, unexpected
TOK_ID, expecting TOK_END_OF_RULE.
The system is Ubuntu 16.10 Server edition. I am trying to confine a
test program at /root/test/shell. The profile looks like the
following:
#include
/root/test/shell {
#include
/bin/touch ix,
/root/test/read px -> readtest1 //& readtest2,
/root/test/shell mr,
profile readtest1 {
#include
/root/test/file1 r,
/root/test/read mr,
}
profile readtest2 {
#include
/root/test/file2 r,
/root/test/read mr,
}
}
If the stacking works, when the /root/test/shell execs
/root/test/read, it should not be able to read either file1 or file2.
I am not sure if I am using the stacking in the wrong way, or there is
a bug in userspace support for stacking.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1639660/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp