[apparmor] Question about defining a profile name via @{exec_path} variable
Mikhail Morfikov
mmorfikov at gmail.com
Wed Jan 9 22:48:44 UTC 2019
For some time I've been using the following snipped to
create new profiles:
------------------------
include <tunables/global>
@{exec_path} = /usr/bin/keepassxc
profile keepassxc @{exec_path} {
#include <abstractions/base>
@{exec_path} mr,
}
------------------------
The path of course changes as well as the profile name.
This was working fine for some time, and now it also works
without problems:
# aa-status| grep keepassx
keepassxc
...
/usr/bin/keepassxc (2732) keepassxc
So AppArmor is able to match the profile to whatever is in
the @{exec_path} variable. All of my profiles look like
this.
When I wanted to use some AppArmor tools, for instance
"aa-complain", I get the following error:
# aa-complain usr.bin.keepassxc
ERROR: Profile for @{exec_path} exists in /etc/apparmor.d/some-app and /etc/apparmor.d/some-other-app
I think the error started to show after upgrading apparmor
package from 2.13.1 to 2.13.2 .
Should this happen? Should I avoid using the code
snipped to make profiles and use regular paths instead?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20190109/fed4cb95/attachment.sig>
More information about the AppArmor
mailing list