[apparmor] "Helpful" error message ;-)

Mon Jan 31 22:24:08 UTC 2011

Hello,

while testing some fixes in apparmor.vim, I also run apparmor_parser 
with one of my test profiles so that I know if my example profile is 
syntactically correct.

The result:

# apparmor_parser test_usr.unattached 
Warning from test_usr.unattached (test_usr.unattached line 55): 
Unconfined exec qualifier (ux) allows some dangerous environment 
variables to be passed to the unconfined process; 'man 5 apparmor.d' for 
details.
failed user merge 0x2d04b41 0x901
failed other merge 0x2d04b41 0x2404000
failed user merge 0x2d04b41 0x901
failed other merge 0x2d04b41 0x2404000
failed user merge 0x2d04b41 0x901
failed other merge 0x2d04b41 0x2404000
failed user merge 0x2d04b41 0x901
failed other merge 0x2d04b41 0x2404000
failed user merge 0x2d04b41 0x901
failed other merge 0x2d04b41 0x2404000
ERROR processing regexs for profile An.unattached.profile, failed to 
load

What do those "failed user/other merge" messages mean, and where in the 
profile do they come from?

The profile is attached.
AppArmor version is 2.5.1 from openSUSE Factory.

Regards,

Christian Boltz
-- 
One of the main reasons for the downfall of the Roman Empire was that,
lacking zero, they had no way to indicate successful termination of
their C programs. 
-------------- next part --------------
# vim: ft=apparmor2

# Lines marked with ### contain rules that should be valid, but apparmor_parser doesn't accept them

@{CHROOT_BASE}=/tmp/foo

# only valid outside of a profile?
alias /home/ -> /mnt/users/,

profile An.unattached.profile flags=(audit) { # comment

# should all be valid
	network inet stream,    # tcp stream
	network inet dgram,     # udp
	network inet,           # both tcp and udp
	network inet6,          # all inet6 networking
	network,                # all networking - including raw, therefore marked in "dangerous" color
###	network inet raw tcp,   # raw networking ### ability is coming [JJ, 2011-01-12]

	/foo/bar rw,

	@{CHROOT_BASE}/var r,

	audit /etc/shadow w,
	audit owner /etc/shadow w,

# audit / deny:
# > Can the audit and deny keyword be used in any rule (like link, 
# > capability, change_profile) or only on file rules?
# almost any currently they don't work on change_profile or change_hat
# they should work on capability, network, file, link (just a special form
# of the file rule).

# owner
# currently only on file rules (link as well)

# TODO: deny / audit / owner keywords should have different colors!
	deny /etc/shadow w,
	audit deny /etc/shadow w,
	audit deny owner /etc/shadow w,

	change_profile -> a_profile, # switch to named profile
	change_profile -> /foo/bar,
# change_hat # ??? valid keyword? syntax? -> no longer supported

	/sub/profile cx, # uses internal subprofile - color like px
	/sub2/profile Cx, # uses internal subprofile - color like Px
	/bin/** px -> shared_profile,
	/bin2/** Px -> shared_profile,
	/bin3/** cx -> /bin/bash,
	/bin4/** Cx -> /bin/bash,
	/bin5/** ux -> /bin/bash,
	/bin6/** Ux -> /bin/bash,

	/foo/bar ix,
	/foo/* pix, # px with Fallback to ix
	/foo2/* Pix, # Px with Fallback to ix
	/bar3/* cix, # cx with Fallback to ix
	/bar4/* Cix, # Cx with Fallback to ix

# rlimit <rlimit> <= <value>
# <rlimit> can be: 
# - cpu - currently unsupported
#	rlimit cpu whatever, # not going to be supported soon

# - fsize, data, stack, core, rss, as, memlock, msgqueue
#   <limit> in bytes, or with K/M/G suffix
	set	rlimit data <= 100M,
	set	rlimit data <= 10, 

# - nofile, locks, sigpending, nproc, rtprio
#   These rlimits take a number greater or equal to 0 indicating their limit.
	set rlimit locks <= 20, ###
	set rlimit sigpending <= 12332341234123, # enough ;-)

# - nice
#   The nice rlimit takes a value between -20 and 19.
	set rlimit nice <= 10, 
	set rlimit nice <= -20,
	set rlimit nice <= 5,

	# This provides the ability to give non-root users administrative
	# privileges, and as such it must be used with extreme caution. 
	# This is the only rule that AppArmor has that can be used to raise
	# privilege. Using it is akin to setting a program to setuid or, using fscaps.
### removed in AppArmor 2.5 
#	set capability dac_override, # DANGER!
#	set capability chown,
#	set capability sys_admin,

	/foo/** px,

	link /link/file -> /target/file,

	link subset /link/file -> /target/file,

#	capability foobar, # invalid keyword! -> error
	capability chown,
	capability sys_admin,

###	^foobar, ###

	^foo flags=(complain) {
		owner /bar r,
	}
	profile /sub/profile {
		/foobar r,
	}
	profile test {
		/foobar rw,
	}
###	^externalhat , # foo ###
###	^externalhat2, # bar ###
###	^externalhat3, ###
	owner /foo px,
} 

/foo//externalhat {
	/in/the/hat Ux,

	network raw,
# should be marked as error (a+w in one rule): (3 lines)
#	/foo raw,
#	/foo wa,
#	/foo waux,
}