[apparmor] Condition rules on apparmor version

Jeroen Ooms jeroen.ooms at stat.ucla.edu
Fri Jun 27 20:23:21 UTC 2014

I am trying to make an apparmor profile that will both work on Debian
Wheezy (2.7.103-4) as well as Ubuntu trusty (2.8.95).

The application uses two profiles: opencpu-main [1] and
opencpu-exec[2]. A process confined by opencpu-main has to be able to
kill a process confined by opencpu-exec. Up till apparmor 2.8.0 this
was unregulated, hence no special rules are needed to allow the
killing on Debian. However starting apparmor 2.8.95, the profile needs
to contain the following rules in order for this to be permitted:

In opencpu-main:
  signal w peer=opencpu-exec,

In opencpu-exec:
  signal r peer=opencpu-main,

With these rules added to the profile, the application works in
Trusty. However in Debian I get a syntax error with these rules
because the signal functionality is not available yet. So I now need
to maintain separate profiles on my Debian and Ubuntu boxes, which is
a bit inconvenient.

So the question: is there some way to define this permission using a
rule that will work for both versions of apparmor? A line that permits
opencpu-main to kill opencpu-exec in apparmor 2.8.95, but gets ignored
or is harmless in apparmor 2.7.103?

[1] https://github.com/jeroenooms/opencpu-deb/blob/master/opencpu-server/apparmor.d/opencpu-main
[2] https://github.com/jeroenooms/opencpu-deb/blob/master/opencpu-server/apparmor.d/opencpu-exec

More information about the AppArmor mailing list