[apparmor] Question about "too many specified profile transitions"
John Johansen
john.johansen at canonical.com
Sat Oct 26 16:08:56 UTC 2019
On 10/14/19 8:57 PM, Mikhail Morfikov wrote:
> Should the rules in the following test profile count as a profile transitions?
>
yes those are all unique profile transitions.
> profile test /bin/test {
> /file1 rwl -> /some-file1,
> /file2 rwl -> /some-file2,
> /file3 rwl -> /some-file3,
> /file4 rwl -> /some-file4,
> /file5 rwl -> /some-file5,
> /file6 rwl -> /some-file6,
> /file7 rwl -> /some-file7,
> /file8 rwl -> /some-file8,
> /file9 rwl -> /some-file9,
> /file10 rwl -> /some-file10,
> /file11 rwl -> /some-file11,
> /file12 rwl -> /some-file12,
> /file13 rwl -> /some-file13,
> }
>
> When I try to load this profile, I get:
>
> # apparmor_parser -r test-profile
> Profile test has too many specified profile transitions.
>
Unfortunately apparmor only supports 12 of this style of transition in a
profile atm. There are 2 patch sets in the works to help address this. A
smaller patch that can be backported to older kernels, and userspaces. It
will raise the limit to 28 of this style of transition in a profile.
There is also a larger rework of how the permission set is stored and
accessed in apparmor, that will effectively remove the limit, allowing
for a few billion transitions if your computer can support it. But that
is a much larger patchset and will require a newer release of apparmor.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20191026/0f7298ac/attachment.sig>
More information about the AppArmor
mailing list