[apparmor] Apparmor: Query on adding many capabilities in the custom header file

Murali Selvaraj murali.selvaraj2003 at gmail.com
Thu Apr 22 15:45:27 UTC 2021 

Hi John,

I am still facing below error while parsing the profile.

While parsing profiles sh -x /etc/apparmor/apparmor_parse.sh
AppArmor parser error for /nvram2/apparmor_boot/usr.bin.test in
/nvram2/apparmor_boot/usr.bin.test at line 5: syntax error, unexpected
TOK_SET_VAR, expecting TOK_ID or TOK_END_OF_RULE

murali at linux:/nvram2/apparmor_boot# cat caps/common
@{default_caps}=chown,dac_override,dac_read_search,fowner,fsetid,kill,ipc_lock,sys_nice,setpcap,pc_owner,sys_ptrace,sys_chroot

#include "/nvram2/apparmor_boot/caps/common"
profile test /usr/bin/test flags=(attach_disconnected) {
    capability setuid,
    capability setgid,
    capability @{default_caps},  ===>> This line shows syntax error [
syntax error, unexpected TOK_SET_VAR, expecting TOK_ID or
TOK_END_OF_RULE ]
    /sys/devices/system/cpu/online r,
    /etc/security/* r,
    /proc/driver/ng1/* rw,
    /proc/sys/kernel/ngroups_max r,
    /usr/ccsp/ethagent/ r,
    /proc/*/comm r,
    /proc/*/auxv r,
    /proc/*/cmdline r,
    /proc/*/environ r,
    /proc/*/limits r,
    /proc/*/stat r,
}

Can you please help us to resolve this error?

Thanks
Murali.S

On Thu, Apr 22, 2021 at 10:51 AM John Johansen
<john.johansen at canonical.com> wrote:
>
> On 4/20/21 10:01 AM, Murali Selvaraj wrote:
> > Hi All,
> >
> > As per our design , we are applying certain capabilities to all my profiles.
> >
> > -> created custom include files as follow in #include "relative_path"
> >    @{default_caps}=chown,dac_override,dac_read_search,fowner,fsetid,kill,ipc_lock,sys_nice,setpcap,ipc_owner,sys_ptrace,sys_chroot
> >
> > -> Adding this header file in the required apparmor profiles.
> >    #include "relative_path"
> >    capability @{default_caps},
> >
> > -> While parsing the apparmor profiles into Kernel, observing below errors.
> >    syntax error, unexpected TOK_EQUALS, expecting TOK_MODE
> >
> > Can someone help me to clarify the above queries.
> >
>
> At this time variable assignment can not be done in the profile body. It can only appear in the profile header. You need to rework your profile to do
>
> include "relative_path"
>
> profile example {
>
>   capability @{default_caps},
> }
>

More information about the AppArmor mailing list