[apparmor] Apparmor: Query on adding many capabilities in the custom header file

Christian Boltz apparmor at cboltz.de
Wed Apr 28 20:06:58 UTC 2021 

Hello,

Am Mittwoch, 28. April 2021, 21:01:23 CEST schrieb Murali Selvaraj:
> I have created a header file as follows and included in the apparmor
> profile.
> 
> admin at test:/etc/apparmor.d# cat caps/default
> capability chown dac_override dac_read_search fowner fsetid kill
> ipc_lock sys_nice setpcap ipc_owner sys_ptrace sys_chroot,
> admin at test:/etc/apparmor.d#
> 
> profile :
> cat usr.bin.foo
> profile foo/usr/bin/foo flags=(attach_disconnected) {

Unrelated to your problem: I'd guess you mean
     profile foo  /usr/bin/foo flags=(attach_disconnected) {
with a space between "foo" and the path.

>     #include <caps/default>
[...]
> admin at test:~# sh /etc/apparmor/apparmor_parse.sh
> Warning from stdin (line 1): config file '/etc/apparmor/parser.conf'
> not found AppArmor parser error for /etc/apparmor.d/caps in
> /etc/apparmor.d/caps/default at line 1: syntax error, unexpected
> TOK_CAPABILITY, expecting $end
> admin at test:~#

I tested your usr.bin.foo profile with apparmor_parser, and it can be 
loaded without problems. [To clarify: I also tested before adding the 
space mentioned above.]

Can you please show your /etc/apparmor/apparmor_parse.sh script?
I have a feeling that it does something strange - wild guess:

    # apparmor_parser -r caps/default
    AppArmor parser error for caps/default in profile caps/default at 
    line 1: syntax error, unexpected TOK_CAPABILITY, expecting end of 
    file

You should only load your profiles with apparmor_parser, but not the 
include files. Included files get loaded whenever they are included, and 
are not meant to be loaded separately.

Oh, BTW - the most boring way to load all your profiles is
    apparmor_parser -r /etc/apparmor.d/


Regards,

Christian Boltz
-- 
Wenn schon, dann höchstens Homo Sapiens Sapiens XEmacensis, die
Entwicklungslinie, die im Laufe der Evolution sieben Finger an jeder
Hand entwickelt hat. Und das alles nur um alle Tastenkürzel zur
Bedienung von XEmacs nutzen zu können. [T. Templin über David Haller]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20210428/c43bd585/attachment.sig>

More information about the AppArmor mailing list