Subject: profiles - fix apparmor_api abstractions

The apparmor_api abstractions make the mistake of including tunables directly, which is a no-no since the variable definitions in tunables need to occur in the preamble of a profile, not embedded within it. This patch removes those includes, and replaces them documentation of tunables are necessary, as some of the expected ones are not part of tunables/global. It also adjust the kernelvars tunable's definition of the @{pid} regex, as the current parser does not support nesting of {} groupings, which breaks any profile that attempts to use the tunable. Signed-off-by: Steve Beattie <sbeattie@ubuntu.com> Acked-By: Seth Arnold <seth.arnold@canonical.com>
2025-03-04 16:35:02 +01:00 · 2013-01-02 15:02:29 -08:00 · 2013-01-02 15:02:29 -08:00 · fb510f8d5b
commit fb510f8d5b
parent d19097c5e1
5 changed files with 14 additions and 10 deletions
--- a/profiles/apparmor.d/abstractions/apparmor_api/examine
+++ b/profiles/apparmor.d/abstractions/apparmor_api/examine
@ -6,7 +6,7 @@
 #
 # ------------------------------------------------------------------

-#include <tunables/proc>
-#include <tunables/kernelvars>
+# Make sure to include at least tunables/proc and tunables/kernelvars
+# when using this abstraction, if not tunables/global.

@{PROC}/@{pids}/attr/{current,prev,exec} r,
--- a/profiles/apparmor.d/abstractions/apparmor_api/find_mountpoint
+++ b/profiles/apparmor.d/abstractions/apparmor_api/find_mountpoint
@ -8,6 +8,7 @@

 #permissions needed for aa_find_mountpoint

-#include <tunables/proc>
+# Make sure to include at least tunables/proc and tunables/kernelvars
+# when using this abstraction, if not tunables/global.

-@{proc}/*/mounts r,
+@{PROC}/@{pids}/mounts r,
--- a/profiles/apparmor.d/abstractions/apparmor_api/introspect
+++ b/profiles/apparmor.d/abstractions/apparmor_api/introspect
@ -6,7 +6,7 @@
 #
 # ------------------------------------------------------------------

-#include <tunables/proc>
-#include <tunables/kernelvars>
+# Make sure to include at least tunables/proc and tunables/kernelvars
+# when using this abstraction, if not tunables/global.

@{PROC}/@{tid}/attr/{current,prev,exec} r,
--- a/profiles/apparmor.d/abstractions/apparmor_api/is_enabled
+++ b/profiles/apparmor.d/abstractions/apparmor_api/is_enabled
@ -8,8 +8,8 @@

 # permissions needed for aa_is_enabled

-#include <tunables/sys>
-#include <tunables/apparmorfs>
+# Make sure to include at least tunables/sys and tunables/apparmorfs
+# when using this abstraction, if not tunables/global.

 #include <abstractions/apparmor_api/find_mountpoint>
@{sys}/module/apparmor/parameters/enabled r,
--- a/profiles/apparmor.d/tunables/kernelvars
+++ b/profiles/apparmor.d/tunables/kernelvars
@ -9,8 +9,11 @@
 # This file should contain declarations to kernel vars or variables
 # that will become kernel vars at some point

-# until kernel vars are implemented just use a pattern [0-9]{1,6}
-@{pid}=[1-9]{[0-9]{[0-9]{[0-9]{[0-9]{[0-9],},},},},}
+# until kernel vars are implemented
+# and until the parser supports nested groupings like
+#   @{pid}=[1-9]{[0-9]{[0-9]{[0-9]{[0-9]{[0-9],},},},},}
+# use
+@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}

 #same pattern as @{pid} for now
@{tid}=@{pid}