[apparmor] How to extend an existing profile?

Thu Sep 16 05:03:01 UTC 2021

On 9/15/21 8:16 PM, Forest wrote:
> I need my custom AppArmor profile to mimic one of those included with LXC,
> with a new name and a few additional rules.  Is there a way to do this
> without copying the contents of the upstream profile?  Some way for one
> profile to inherit the rules of another profile?
> 
Atm apparmor policy does not support inheritance. See below for more

> I considered #include, but that looks like a simple text import that would
> pull in the whole upstream file, including its header, and therefore not
> work.
> 
unfortunately that is the case

> As a last resort, I suppose I could copy the upstream profile's contents
> into a new file along with my additions, but that would duplicate upstream
> policy and risk falling out of sync with upstream changes.
> 
This is unfortunately what you are going to have to do atm.

How we would handle this as an upstream currently is refactor the profile
into a shared include, but unfortunately this doesn't really work for you.

> The use case is to get Steam's pressure-vessel working in LXC containers.
> 

So this has been brought up before and is something we need and have even
toyed with but haven't settled on the best way to do this One of the sticking
point has been how to handle deleting rules, deny can be used for allow rules
but we currently don't have (but are working on) a mechanism to remove deny
rules.

To fix this we have been working on support for policy composition, so
you could do something like

profile example {

   { include <foo> } except {
        deny w foo,
        ...
   }
}

This would give the mechanism we need to do rule removal with inheritance.
Some thing like

profile example {
   inherit foobar except {
     ...
   }

   allow r /a/new/rule,
   ...
}

Of course syntax isn't finalized, and feedback and ideas are welcome.
Hopefully this is something we can land sooner than later.