** Description changed: From https://gitlab.com/apparmor/apparmor/-/merge_requests/1803: - In AppArmor policy, unix addresses must start with @, and when - trying to use alternations {.,.}, the parser would confuse that with an - invalid variable, rightfully so. The problem is that this was supported - in previous versions of the parser, so in order to not regress behavior, - we are accepting such strings. + In AppArmor policy, abstract unix addresses must start with @. When trying to use alternations {.,.} at the start of an abstract address name, the @ and the alternation {.,.} would form an invalid variable name @{.,.}. AppArmor 5 + added stricter checking around variables, and the addition checks catches this as the @ followed by an alternation as an invalid variable. - In AppArmor 4.x, a rule of the form + Unfortunately this combination was supported in previous versions of the + parser, and in use in snapd policy, so in order to not regress behavior, + we are accepting such strings, using the previous behavior. + + Specifically in AppArmor 4.x, a rule of the form unix connect peer=(addr="@{alt1,alt2}-test"), would parse as a literal @ followed by either alt1 or alt2, with - abstract socket addresses having to start with @. However, @{var} is - also the syntax used to specify variables, and stricter checking for - variables led to the above erroring as an invalid variable. While the - proper syntax should be escaping the @ with \@{alt1,alt2}, existing - policy relies on the previous behavior, so it should be restored into - AppArmor 5.x. + abstract socket addresses having to start with @. + + Restore this behavior in AppArmor 5 by allowing it to detect the invalid + variable and treat it as an @ followed by an alternation.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2126450 Title: AppArmor Unix socket rules need to be able to support addr=@{a,b} variable usage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2126450/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
