[apparmor] Question about defining a profile name via @{exec_path} variable

Thu Jan 10 13:58:49 UTC 2019

Hello,

Am Mittwoch, 9. Januar 2019, 23:48:44 CET schrieb Mikhail Morfikov:
> For some time I've been using the following snipped to
> create new profiles:
> 
> ------------------------
> include <tunables/global>
> 
> @{exec_path} = /usr/bin/keepassxc
> profile keepassxc @{exec_path} {
>   #include <abstractions/base>
> 
>   @{exec_path} mr,
> 
> }
> ------------------------
> 
> The path of course changes as well as the profile name.
[...]
> When I wanted to use some AppArmor tools, for instance
> "aa-complain", I get the following error:
> 
> # aa-complain usr.bin.keepassxc
> ERROR: Profile for @{exec_path} exists in /etc/apparmor.d/some-app and
> /etc/apparmor.d/some-other-app
> 
> I think the error started to show after upgrading apparmor
> package from 2.13.1 to 2.13.2 .

Looking at the changelog, it could be a side effect of "Fix minitools 
for named profiles" (which needed some bigger changes), but I'll have to 
look at the code/diff to verify this.

> Should this happen? Should I avoid using the code
> snipped to make profiles and use regular paths instead?

Your profiles are valid, but the tools don't like them ;-)

Variable support in the tools is limited, and variables in the profile 
name or attachment don't get "expanded" to their real values. Therefore 
the tools think you have multiple profiles for "@{exec_path}" (not 
/usr/bin/whatever"), and it isn't too surprising that they complain 
about this. [1]

The proper solution / fix is to expand variables and to work on their 
content, but I'm afraind that isn't something I can do quickly.

For now, you could use a workaround - prefix the variable name with the 
profile name [2], so that you have for example

include <tunables/global>
@{keepassxc_exec_path} = /usr/bin/keepassxc
profile keepassxc @{keepassxc_exec_path} {
  #include <abstractions/base>
   @{keepassxc_exec_path} mr,
}

This should avoid that the tools error out.

Regards,

Christian Boltz

[1] Actually, with profile names, we might have to re-think if having
    two profiles with different name, but same attachment is really 
    problematic. IMHO it is (because it isn't clear which profile will 
    be used, unless you Px -> $name into it), but we'll at least have to
    add xattrs into the check.

[2] the important point is not to use the same variable name for 
    multiple profiles, and using the profile name as prefix shouldn't be 
    too hard to integrate in your script
-- 
Encryption is only for terrorists and as such not supported :-)
[Stefan Seyfried in opensuse-packaging]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20190110/0bc28613/attachment.sig>