AppArmor

apparmor fails loading policy with nested profiles inside hats

Bug #1334455 reported by Steve Beattie on 2014-06-25

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	Triaged	Medium	Unassigned

Bug Description

To reproduce:

$ cat ~/tmp/test.profile
profile spork /t {
hat waffle {
/bin/sh Cx -> syrup,

    profile syrup {
      /bin/sh r,
    }
  }
}
$ sudo ./apparmor_parser -Kr ~/tmp/test.profile
./apparmor_parser: Unable to replace "syrup". Profile doesn't exist
$ sudo grep syrup /var/log/audit/audit.log
type=AVC msg=audit(1403737842.880:42591): apparmor="STATUS" operation="profile_replace" info="parent does not exist" error=-2 profile="unconfined" name="waffle//syrup" pid=874 comm="apparmor_parser"

This is with kernel Ubuntu 3.13.0-24.47-generic 3.13.9 (amd64)

It also fails similarly if not using a profile name, e.g.:

profile spork /t {
hat waffle {
/bin/sh Cx,

    profile /bin/sh {
      /bin/sh r,
    }
  }
}

results in:

type=AVC msg=audit(1403738004.360:42598): apparmor="STATUS" operation="profile_replace" info="parent does not exist" error=-2 profile="unconfined" name="waffle///bin/sh" pid=1807 comm="apparmor_parser"

Tags:

Revision history for this message

azurit (azurit) wrote on 2014-09-22:

Any news on this?

Jamie Strandboge (jdstrand) on 2014-10-10

Changed in apparmor:
importance:	Undecided → Medium
status:	New → Confirmed

Jamie Strandboge (jdstrand) on 2014-10-15

tags:

added: aa-parser

Jamie Strandboge (jdstrand) on 2014-10-24

Changed in apparmor:
status:	Confirmed → Triaged

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.