The apparmor_api abstractions make the mistake of including tunables
directly, which is a no-no since the variable definitions in tunables
need to occur in the preamble of a profile, not embedded within it.
This patch removes those includes, and replaces them documentation of
tunables are necessary, as some of the expected ones are not part of
tunables/global.
It also adjust the kernelvars tunable's definition of the @{pid}
regex, as the current parser does not support nesting of {} groupings,
which breaks any profile that attempts to use the tunable.
---
profiles/apparmor.d/abstractions/apparmor_api/examine | 4 ++--
profiles/apparmor.d/abstractions/apparmor_api/find_mountpoint | 5 +++--
profiles/apparmor.d/abstractions/apparmor_api/introspect | 4 ++--
profiles/apparmor.d/abstractions/apparmor_api/is_enabled | 4 ++--
profiles/apparmor.d/tunables/kernelvars | 5 ++++-
5 files changed, 13 insertions(+), 9 deletions(-)
Index: b/profiles/apparmor.d/abstractions/apparmor_api/examine
===================================================================
--- a/profiles/apparmor.d/abstractions/apparmor_api/examine
+++ b/profiles/apparmor.d/abstractions/apparmor_api/examine
@@ -6,7 +6,7 @@
#
# ------------------------------------------------------------------
-#include <tunables/proc>
-#include <tunables/kernelvars>
+# Make sure to include at least tunables/proc and tunables/kernelvars
+# when using this abstraction, if not tunables/global.
@{PROC}/@{pids}/attr/{current,prev,exec} r,
Index: b/profiles/apparmor.d/abstractions/apparmor_api/find_mountpoint
===================================================================
--- a/profiles/apparmor.d/abstractions/apparmor_api/find_mountpoint
+++ b/profiles/apparmor.d/abstractions/apparmor_api/find_mountpoint
@@ -8,6 +8,7 @@
#permissions needed for aa_find_mountpoint
-#include <tunables/proc>
+# Make sure to include at least tunables/proc and tunables/kernelvars
+# when using this abstraction, if not tunables/global.
-@{proc}/*/mounts r,
+@{PROC}/@{pids}/mounts r,
Index: b/profiles/apparmor.d/abstractions/apparmor_api/introspect
===================================================================
--- a/profiles/apparmor.d/abstractions/apparmor_api/introspect
+++ b/profiles/apparmor.d/abstractions/apparmor_api/introspect
@@ -6,7 +6,7 @@
#
# ------------------------------------------------------------------
-#include <tunables/proc>
-#include <tunables/kernelvars>
+# Make sure to include at least tunables/proc and tunables/kernelvars
+# when using this abstraction, if not tunables/global.
@{PROC}/@{tid}/attr/{current,prev,exec} r,
Index: b/profiles/apparmor.d/abstractions/apparmor_api/is_enabled
===================================================================
--- a/profiles/apparmor.d/abstractions/apparmor_api/is_enabled
+++ b/profiles/apparmor.d/abstractions/apparmor_api/is_enabled
@@ -8,8 +8,8 @@
# permissions needed for aa_is_enabled
-#include <tunables/sys>
-#include <tunables/apparmorfs>
+# Make sure to include at least tunables/sys and tunables/apparmorfs
+# when using this abstraction, if not tunables/global.
#include <abstractions/apparmor_api/find_mountpoint>
@{sys}/module/apparmor/parameters/enabled r,
Index: b/profiles/apparmor.d/tunables/kernelvars
===================================================================
--- a/profiles/apparmor.d/tunables/kernelvars
+++ b/profiles/apparmor.d/tunables/kernelvars
@@ -10,7 +10,10 @@
# that will become kernel vars at some point
# until kernel vars are implemented just use a pattern [0-9]{1,6}
-@{pid}=[1-9]{[0-9]{[0-9]{[0-9]{[0-9]{[0-9],},},},},}
+# and until the parser supports nested groupings like
+# @{pid}=[1-9]{[0-9]{[0-9]{[0-9]{[0-9]{[0-9],},},},},}
+# use
+@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
#same pattern as @{pid} for now
@{tid}=@{pid}
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
