[apparmor] trouble with nested grandchild profiles
apparmor at raf.org
apparmor at raf.org
Wed Sep 9 10:50:08 UTC 2015
debian-8.1, apparmor-2.9.0
Hi,
I'm having trouble getting nested grandchild profiles working.
When I tried something like this:
/usr/sbin/apache2 flags=(complain) {
/path/to/index.cgi rCx -> indexcgi_profile,
profile indexcgi_profile flags=(complain) {
/usr/bin/mutt-org rCx -> mutt_profile,
profile mutt_profile flags=(complain) {
}
}
}
I got this error when trying to load it:
/sbin/apparmor_parser: Unable to replace "mutt_profile".
Profile doesn't exist
So I tried moving the mutt_profile grandchild profile out
of indexcgi_profile like this:
/usr/sbin/apache2 flags=(complain) {
/path/to/index.cgi rCx -> indexcgi_profile,
profile indexcgi_profile flags=(complain) {
/usr/bin/mutt-org rCx -> mutt_profile,
}
profile indexcgi_profile//mutt_profile flags=(complain) {
}
}
And apparmor_parser loaded it without complaint and aa-status shows:
/usr/sbin/apache2//indexcgi_profile
/usr/sbin/apache2//indexcgi_profile//mutt_profile
Which looks promising but then I got this apparmor log message:
audit: type=1400 audit(1441794360.161:74384): apparmor="ALLOWED"
operation="exec" info="profile not found" error=-2
profile="/usr/sbin/apache2//indexcgi_profile"
name="/usr/bin/mutt-org" pid=13884
comm="index.cgi" requested_mask="x" denied_mask="x"
fsuid=33 ouid=0
So, the first concern is that either of the two versions should
be equivalent as far as I can tell from what I've read.
Why does apparmor_parser reject the first version but not the second?
Is it a bug in apparmor_parser or have I misunderstood something?
Secondly, why is it not working? The indexcgi_profile profile has a rule to
allow index.cgi to execute /usr/bin/mutt-org but the log message says that
it failed, saying "profile not found". Which profile hasn't been found? Why?
What do I have to do to make it findable?
Any suggestions?
cheers,
raf
More information about the AppArmor
mailing list