The apparmor userspace does not currently properly support grand children
profiles and sibling transitions
px is a namespace relative transition
cx is a child transition
a sibling transition can be currently be done manually by providing
the fully quallified profile path, for the bug example that would
require being reworked as
/tmp/foo {
/tmp/bar Cx -> bar, # works
profile bar {
/tmp/baz Px -> /tmp/foo//baz, # does not work
}
profile baz {
}
}
this example failed because Px -> baz was trying to transition to a
sibling of /tmp/foo (namespace relative) not a sibling of profile bar.
Changing the Px to use /tmp/foo//baz clarifies that baz is a child of
/tmp/foo
The compiler should be warning when transitions to non-existent profiles
are used.
Marking this a wish list bug because it is going to require extension to
support siblings transitions, grand children, and interprofile analysis
none of which are currently supported. Note: the language has been
speced to support these but the user space tools do not yet.
The failure to log the failed transition is covered by Bug #1045074
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1045081
Title:
child Cx transition to grandchild transition silently fails, and child
Px to sibling transition silently fails
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045081/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
