[apparmor] Question about increasing the limit for profile transitions

Thu May 17 05:26:53 UTC 2018

On 05/16/2018 08:58 PM, Liu,An wrote:
> I wrote the profile for init process which will transit to other profile as follows when system starts.
> 
>  
> 
> /system/bin/wpa_supplicant px -> wpa,
> 
> /system/bin/dhcpd -> dhcpd,
> 
> …
> 
>  
> 
> My purpose is to protect the whole system using AppArmor. Since init is the first process to start, there are so many transition rules (> 50) in init profile.
> 
>  
> 
> When I load the profile for init using apparmor-parser, I got the following error.
> 
>  
> 
> $ Profile init has too many specified profile transitions.
> 
>  
> 
> I think I need to increase following macro (it was 16) in immunix.h to make profile handle more transition rules.
> 
>  
> 
> #define AA_EXEC_COUNT 64
> 
>  
> 
> However, after increasing it and recompiling apparmor-parser. apparmor-parser got segmentation fault when I load the profile. Any idea what is the correct way to increase the limit of total number profile transition?
> 

unfortunately the limit is currently determined by how the permissions are packed. There are currently only 4 bits available hence the limit of 16. There is work being done to fix this (generally referred to as the extended permission work) but it is not ready yet, and will require an updated kernel and userspace.

There are some ways for you to work around this atm you could you a regular px transition with the profile having a profile attachment, so for your example

  profile wpa /system/bin/wpa_supplicant {
    ...
  }

  profile dhcpd /system/bin/dhcpd {
    ...
  }

with your init process rules being

  /system/bin/wpa_supplicant px,

  /system/bin/dhcpd px,

this will let you keep the nice profile names while allowing for file named based attachment, which doesn't take up an of the very limited transition entries that the -> transitions takes.