[apparmor] Wat's up with "Pux" qualifier?
John Johansen
john.johansen at canonical.com
Sun Oct 1 23:19:53 UTC 2017
On 10/01/2017 08:42 AM, Vincas Dargis wrote:
> Hi,
>
> I have reported bug [0] that `usr.bin.totem` containing `Pux` rule produces `aa-logprof` error:
>
> ```
> ERROR: permission contains unknown character(s) Pux
> ```
>
> Though `apparmor_parser` itself does not emit any errors or warnings.
>
it is valid in that the parser accepts it but is slightly confusing in
that character case (sadly) is used to indicate whether environment
scrubbing is used, and in this situation you have one upper and one
lower case qualifier on the x making the intention ambiguous.
Pux is treated by the parser as being equivalent to PUx
There was a decision made a few years ago to deprecate the mixed case
version to avoid ambiguity in interpreting the rule.
> I can't find `Pux` in `man apparmor.d`, though it's mentioned in AppArmor wiki [1].
>
apparmor.d was edited to only contain the preferred version of PUx and
pux
> So it's kinda confusing. Maybe it's simply `aa-logprof` bug and a man page is missing an update?
>
I believe it was a deliberate decision by the author to not support
the confusing syntax of mixed characters. The parser's support is much
older and has not been patched to conform with the above mentioned
decision, ideally it should be reporting that the syntax is deprecated
> I managed to grep this mode only in that `usr.bin.totem` profile, which was modified recently, so it could
> slip through...
>
It is possible for it to slip through if the profile never goes
through the logprof/genprof toools. There are several people who just
use a text editor and a parser when generating rules
> [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877255
> [1] http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Execute_rules
>
More information about the AppArmor
mailing list