** Description changed: From https://gitlab.com/apparmor/apparmor/-/merge_requests/1803: In AppArmor policy, abstract unix addresses must start with @. When trying to use alternations {.,.} at the start of an abstract address name, the @ and the alternation {.,.} would form an invalid variable name @{.,.}. AppArmor 5 added stricter checking around variables, and the addition checks catches this as the @ followed by an alternation as an invalid variable. Unfortunately this combination was supported in previous versions of the - parser, and in use in snapd policy, so in order to not regress behavior, - we are accepting such strings, using the previous behavior. + parser and is used in snapd policy. In order to not regress behavior, we + will have to accept such strings using the previous behavior. Specifically in AppArmor 4.x, a rule of the form unix connect peer=(addr="@{alt1,alt2}-test"), would parse as a literal @ followed by either alt1 or alt2, with abstract socket addresses having to start with @. Restore this behavior in AppArmor 5 by allowing it to detect the invalid variable and treat it as an @ followed by an alternation.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2126450 Title: AppArmor Unix socket rules need to be able to support addr=@{a,b} variable usage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2126450/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
