[apparmor] alias rules broken for /{,var/}run/
John Johansen
john.johansen at canonical.com
Tue Nov 1 13:57:33 UTC 2011
On 11/01/2011 12:32 AM, John Johansen wrote:
> On 10/31/2011 06:11 PM, Christian Boltz wrote:
>> Hello,
>>
>> lots of profiles contain rules for /{,var/}run/ nowadays.
>>
>> Unfortunately that breaks if /var is a symlink (to /home/sys-var in my
>> case) even if a correct alias rule is setup.
>>
>
> Sigh, yes its do to how aliases are currently handled. Currently they are
> done in the front end before the expr parsing and DFA magic which means,
> they can't cope with the
> /{,var/} part of the rule.
>
> It is something I have been working towards fixing, but I am not quite
> there yet. We could possibly add a simplified, replacement in the
> expr tree now. Which could handle your case but wouldn't correctly
> deal with
>
> /va*
>
> or other such expressions. I wish I could give you a better answer on
> this. I could elaborate on the 2 potential solutions I have been
> evaluating but I don't have an eta on the fix.
>
Christian,
I have spent more time looking at this and it will be fixed in the next
release. The real question is whether we will fix this in 2.7, it
will be a larger patch but is doable. How important would you rate
fixing this in 2.7
More information about the AppArmor
mailing list