apparmor-parse cannot parse profile stacking //&

Asked by Yuqiong Sun on 2016-11-06

I am experimenting with the new profile stacking feature of AppArmor on Ubuntu 16.10.

However, when trying the load a profile with stacking ("//&" ), the apparmor-parser will report the following erros:

AppArmor parser error for /etc/apparmor.d/root.test.shell in /etc/apparmor.d/root.test.shell at line 8: syntax error, unexpected TOK_ID, expecting TOK_END_OF_RULE.

The system is Ubuntu 16.10 Server edition. I am trying to confine a test program at /root/test/shell. The profile looks like the following:

#include <tunables/global>
/root/test/shell {
  #include <abstractions/base>

  /bin/touch ix,
  /root/test/read px -> readtest1 //& readtest2,
  /root/test/shell mr,

  profile readtest1 {
    #include <abstractions/base>
    /root/test/file1 r,
    /root/test/read mr,
  }

  profile readtest2 {
    #include <abstractions/base>
    /root/test/file2 r,
    /root/test/read mr,
  }
}

If the stacking works, when the /root/test/shell execs /root/test/read, it should not be able to read either file1 or file2.

I wonder if I am using the stacking in the wrong way, or the userspace support for stacking wasn't integrated yet?

Thanks!

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu apparmor Edit question
Assignee:
No assignee Edit question
Last query:
2016-11-06
Last reply:
2016-11-08

If you have a bug reported, you don't need a question as well.

Can you help with this problem?

Provide an answer of your own, or ask Yuqiong Sun for more information if necessary.

To post a message you must log in.