[apparmor] Nested child profiles
John Johansen
john.johansen at canonical.com
Mon Sep 22 15:37:46 UTC 2014
On 09/22/2014 06:17 AM, azurIt wrote:
> Hi,
>
> does apparmor supports nested child profiles or child profiles inside hats? I'm asking because i'm having problems with execution using 'cx' permission inside a hat. I'm unable to create a child profile directly inside hat because of this error:
> apparmor_parser: Unable to replace "test". Profile doesn't exist
>
> If i create child profile inside root profile, i'm getting errors like such 'no such file or directory' while running executable with 'cx' permission (and yes, child profile has correct name).
>
> Thanks for any hints.
>
Not at this time.
A longer more complicated answer is that the kernel supports them but the
tools do not, and compiler (apparmor_parser) only partially supports them
at the moment.
If you skip using the tools to auther your profiles, and you use external
children profiles they should work. That is the parser does not
properly track embedding the profile past one level so
profile /A {
profile B {
/foo cx -> C,
profile C {
}
}
}
Does not work but you can do
profile /A {
profile B {
/foo px -> /A//B//C,
}
}
# external profile
profile /A//B//C {
}
You however can not do nested hats (hat within a hat) because the kernel
only supports tracking a single level of hats at this time.
More information about the AppArmor
mailing list