[apparmor] Apparmor parser error ... syntax error, unexpected TOK_EQUALS, expecting TOK_MODE

Robert Munteanu robert.munteanu at gmail.com
Tue Sep 22 08:13:44 UTC 2015 

On Tue, Sep 22, 2015 at 11:09 AM, John Johansen
<john.johansen at canonical.com> wrote:
> << snip >>
>
>>>>> Sure, attached. I find it strange that the output ends with a
>>>>>
>>>>> @{HOME}=
>>>>>
>>>>> line, which would explain the error. However, I don't have such a line
>>>>> in my /etc/apparmor.d directory
>>>>>
>>>> So this is an artifact of how the parser is processing variables.
>>>>
>>>> The defines are read and partially processed during the preprocessing phase of
>>>> the parse and it is choking on @{HOME}= being assigned inside of the profile
>>>> scope (currently vars can only be defined in the header).
>>>>
>>>> What you need to look for is a file in <apache2.d> that is including
>>>> <tunables/global>
>>>
>>> That's right , there's a apache2.d/wordpress file which has that include
>>>
>>> Removing it makes the error go away, which is good. On the other hand,
>>> the wordpress file, which contains
>>>
>>>  ^wordpress {
>>>    #include <abstractions/base>
>>>    #include <abstractions/nameservice>
>>>    #include <abstractions/apache2-common>
>>>    #include <abstractions/php5>
>>>    /srv/www/wordpress/              r,
>>>    /srv/www/wordpress/**            r,
>>>    /srv/www/wordpress/wp-content/** w,
>>>    /var/log/apache2/**              w,
>>>    /srv/www/mod_pagespeed/cache/**  w,
>>>    /etc/wordpress/wp-config.php     r,
>>>    @{PROC}/@{pid}/statm             r,
>>>  }
>>>
>>> makes apparmor_parser complain:
>>>
>>> $ apparmor_parser -r wordpress
>>> Found reference to variable PROC, but is never declared
>>>
>
> strange, @{PROC} is definitely defined earlier,
>
> can you provide me an updated output for
>   apparmor_parser -p /etc/apparmor.d/usr.sbin.httpd2-prefork

Sure, it's attached.

The question is though - should I call apparmor_parser on
apache.d/wordpress ( which is a fragment ) or is it enough to call it
on usr.sbin.httpd2-prefork ?

Thanks,

Robert



-- 
http://robert.muntea.nu/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: httpd-prefork-expanded
Type: application/octet-stream
Size: 100057 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150922/ea06a348/attachment-0001.obj>

More information about the AppArmor mailing list