I'm afraid apparmor_parser is not fully aware of this restriction. # cat foo /usr/bin/foo { # mount options=(rw, runbindable) / -> /bar, # causes error mount options=(rw, runbindable) -> /bar, # accepted as valid (as expected) mount options=(rw, runbindable) /, # accepted as valid, but shouldn't }
# apparmor_parser -r foo # This means a rule with only a source (but no target mountpoint) gets accepted by the parser and loaded into the kernel, even if it should raise an error. . BTW: The commented-out rule that indeed triggers an error results in a not-so-useful error message: Encoding of mount rule failed ERROR processing policydb rules for profile /usr/bin/foo, failed to load A more detailed error message that points out the invalid rule would be nice. ** Changed in: apparmor (Ubuntu) Status: Fix Committed => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065685 Title: aa-logprof fails with 'runbindable' error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs