Hello. I developed syntax highlighting for AppArmor profiles, in KDE's text
editors (KSyntaxHighlighting Framework). I have been updating the
highlighting and I have some questions about the comments in AppArmor.
Checking the AppArmor parser and doing some tests, I have drawn some
conclusions:
*** Only the text after '#', written outside the rules, is considered a
comment (except file and alias rules).
Ex:
>
>
> *dbus (bind) bus=system #This is NOT a comment name=org.bluez, **#This
> is a comment*
*** Text after '#', written in the line of a variable assignment, is not
considered comment. That is to say, AppArmor takes all the text separated
by spaces, as values of the variable, including the "comments".
Ex:
>
> *@{VARIABLE} = /my/path value1 value2 #This is NOT a comment @{VARIABLE}
> += value3 value[458] # Hello*
In the latter case, @{VARIABLE} takes the values:
*'/my/path'*, *'value1'*, *'value2'*, *'#This'*, *'is'*, *'NOT'*, *'a'*,
*'comment'*, *'value3'*, *'value[458]'*, *'#'*, *'Hello'*.
This can lead to great confusion, since many people can write comments on
the line of a variable assignment, without knowing that they are adding the
text of the comment to the variable. AppArmor doesn't show any warning
about it. It is also not specified in the man page of apparmor.d.
At first I was not sure whether to consider this as a bug. However, I have
seen that, in Ubuntu 17.10, the default profile*
'usr.lib.libreofficeprogram.soffice.bin'* have comments in the variable
assignment lines.
File: '*/etc/apparmor.d/usr.lib.libreofficeprogram.soffice.bin*' (Ubuntu
17.10)
> 24| @{libreoffice_ext} = [tT][xX][tT] #.txt
> 25| @{libreoffice_ext} += {,f,F}[oO][dDtT][tTsSpPbBgGfF] #All the open
> document format
> 26| @{libreoffice_ext} += [xX][mMsS][lL] #.xml and xsl
> 27| @{libreoffice_ext} += [pP][dD][fF] #.pdf
> 28| @{libreoffice_ext} += [uU][oO][fFtTsSpP] #Unified office format
> 29| @{libreoffice_ext} += {,x,X}[hH][tT][mM]{,l,L} #(x)htm(l)
> ...
> 46| @{libreoffice_ext} += [dD][iIbB][fF] #.dif dbf
> 47| @{libreoffice_ext} += [cCtT][sS][vV] #.tsv .csv
> ...
> 53| @{libreoffice_ext} += [sS][wW][fF] #Flash
> 54| @{libreoffice_ext} += [pP][sS][dD] #Photoshop
> ...
> 84| owner @{libo_user_dirs}/**.@{libreoffice_ext} rwk, #Open files rw
> with the right exts
In this case, AppArmor grants write and read permissions to files with
extension: '.#.txt', '.#All', '.the', '.format', '.#.xml', '.and',
etc. Clearly, the profile must be fixed.
I did some tests on Ubuntu 17.10 (Linux 4.13.0-21, AppArmor 2.11.0) and
Ubuntu 16.04.3 (Linux 4.10.0-42, AppArmor 2.10.95).
If I add these rules to some profile (for example, to the Firefox profile):
> @{HELLO} = value1 value2
> @{HELLO} += value3 #This is a comment
> @{HELLO} += @{HOME}/folder value4 # other
> @{HELLO} += asd #.tes
>
/aa-test/@{HELLO}/{,**} rw,
Make directories:
> $ sudo mkdir /aa-test/ && sudo chown 1000 /aa-test/
> $ mkdir
> /aa-test/{value1,value2,value3,value4,#This,is,a,comment,#,other,asd,#.tes,no-access}
And reload the profile: $ aa-enforce /etc/apparmor.d/usr.bin...
There is write and read access in the directories:
> /aa-test/value1/
> /aa-test/value2/
> /aa-test/value3/
> /aa-test/#This/
> /aa-test/is/
> /aa-test/a/
> /aa-test/comment/
> /aa-test/home/*/folder/
> /aa-test/value4/
> /aa-test/#/
> /aa-test/other/
> /aa-test/asd/
> /aa-test/#.tes/
Finally, is this a bug? Should AppArmor consider comments on the variable
assignment?
Whatever the case, I believe that AppArmor should display a warning message
when loading profiles, if there is a '#' in the assignment of variables, in
order to avoid confusion.
Regards.
Nibaldo González S. (nibgonz at gmail com)
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
