[apparmor] Apparmor: Query on adding many capabilities in the custom header file
Murali Selvaraj
murali.selvaraj2003 at gmail.com
Wed Apr 28 19:01:23 UTC 2021
Thanks Christian for the inputs.
I have created a header file as follows and included in the apparmor profile.
admin at test:/etc/apparmor.d# cat caps/default
capability chown dac_override dac_read_search fowner fsetid kill
ipc_lock sys_nice setpcap ipc_owner sys_ptrace sys_chroot,
admin at test:/etc/apparmor.d#
profile :
cat usr.bin.foo
profile foo/usr/bin/foo flags=(attach_disconnected) {
#include <caps/default>
capability setgid,
capability setuid,
/sys/devices/system/cpu/online r,
/sys/devices/system/cpu/possible r,
/sys/devices/system/cpu/present r,
}
admin at test:~# sh /etc/apparmor/apparmor_parse.sh
Warning from stdin (line 1): config file '/etc/apparmor/parser.conf' not found
AppArmor parser error for /etc/apparmor.d/caps in
/etc/apparmor.d/caps/default at line 1: syntax error, unexpected
TOK_CAPABILITY, expecting $end
admin at test:~#
This syntax issue inturn set apparmor service as a failed state. But
the process/profile loaded in enforce-mode.
● apparmor.service - AppArmor initialization
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled;
vendor preset: enabled)
Active: failed (Result: exit-code) since Sun 2021-04-25 23:20:12
UTC; 2 days ago
Docs: man:apparmor(7)
http://wiki.apparmor.net/
Process: 2658 ExecStart=/etc/apparmor/apparmor_parse.sh
(code=exited, status=1/FAILURE)
Main PID: 2658 (code=exited, status=1/FAILURE)
After loading the profile (enforce mode), the header file change has
been(capability) applied.
But I have seen this syntax error in apparmor systemd service.
I confirmed that this is due to header file [ I had comment this line
and do not see any error ]
Can you please help us to resolve this syntax error (AppArmor parser
error for /etc/apparmor.d/caps in /etc/apparmor.d/caps/default at line
1: syntax error, unexpected TOK_CAPABILITY, expecting $end)
Thanks
Murali.S
On Sun, Apr 25, 2021 at 2:18 AM Christian Boltz <apparmor at cboltz.de> wrote:
>
> Hello,
>
> Am Samstag, 24. April 2021, 15:46:22 CEST schrieb Murali Selvaraj:
> > Can you please guide me to resolve the above query on the header file
> > with enabling many capabilities in the header file?
>
> a) /nvram2/apparmor_boot/caps/common
>
> capability chown dac_override dac_read_search fowner fsetid kill ipc_lock sys_nice setpcap pc_owner sys_ptrace sys_chroot,
>
> or (same meaning, but more readable)
>
> capability chown,
> capability dac_override,
> capability dac_read_search,
> capability fowner,
> capability fsetid,
> capability kill,
> capability ipc_lock,
> capability sys_nice,
> capability setpcap,
> capability pc_owner,
> capability sys_ptrace,
> capability sys_chroot,
>
>
> b) /nvram2/apparmor_boot/usr.bin.test
>
> profile test /usr/bin/test flags=(attach_disconnected) {
> #include "/nvram2/apparmor_boot/caps/common"
> capability setuid,
> capability setgid,
>
> /sys/devices/system/cpu/online r,
> [... all your other rules ...]
> }
>
> Note that you need to move the include inside the profile.
>
>
> Regards,
>
> Christian Boltz
> --
> >In Yast2-System-Editor /etc/sysconfig-Dateien in
> >System-Kernel-MODULES_LOADED_ON_BOOT ide-scsi eintragen.
> *JAUUUUUUUULLLLL* *ARRRGGHHHH*
> Man reiche mir eine Klinik-Jahrespackung von $SCHMERZMITTEL!!!
> [> Heinz Dittmar und David Haller in suse-linux]
More information about the AppArmor
mailing list