apparmor-parse cannot parse profile stacking //&

Asked by Yuqiong Sun on 2016-11-06

I am experimenting with the new profile stacking feature of AppArmor on Ubuntu 16.10.

However, when trying the load a profile with stacking ("//&" ), the apparmor-parser will report the following erros:

AppArmor parser error for /etc/apparmor.d/ in /etc/apparmor.d/ at line 8: syntax error, unexpected TOK_ID, expecting TOK_END_OF_RULE.

The system is Ubuntu 16.10 Server edition. I am trying to confine a test program at /root/test/shell. The profile looks like the following:

#include <tunables/global>
/root/test/shell {
  #include <abstractions/base>

  /bin/touch ix,
  /root/test/read px -> readtest1 //& readtest2,
  /root/test/shell mr,

  profile readtest1 {
    #include <abstractions/base>
    /root/test/file1 r,
    /root/test/read mr,

  profile readtest2 {
    #include <abstractions/base>
    /root/test/file2 r,
    /root/test/read mr,

If the stacking works, when the /root/test/shell execs /root/test/read, it should not be able to read either file1 or file2.

I wonder if I am using the stacking in the wrong way, or the userspace support for stacking wasn't integrated yet?


Question information

English Edit question
Ubuntu apparmor Edit question
No assignee Edit question
Last query:
Last reply:

If you have a bug reported, you don't need a question as well.

Can you help with this problem?

Provide an answer of your own, or ask Yuqiong Sun for more information if necessary.

To post a message you must log in.