[apparmor] "Helpful" error message ;-)

John Johansen john.johansen at canonical.com
Mon Jan 31 22:43:07 UTC 2011 

On 01/31/2011 02:24 PM, Christian Boltz wrote:
> Hello,
> 
> while testing some fixes in apparmor.vim, I also run apparmor_parser 
> with one of my test profiles so that I know if my example profile is 
> syntactically correct.
> 
> The result:
> 
> # apparmor_parser test_usr.unattached 
> Warning from test_usr.unattached (test_usr.unattached line 55): 
> Unconfined exec qualifier (ux) allows some dangerous environment 
> variables to be passed to the unconfined process; 'man 5 apparmor.d' for 
> details.
> failed user merge 0x2d04b41 0x901
> failed other merge 0x2d04b41 0x2404000
> failed user merge 0x2d04b41 0x901
> failed other merge 0x2d04b41 0x2404000
> failed user merge 0x2d04b41 0x901
> failed other merge 0x2d04b41 0x2404000
> failed user merge 0x2d04b41 0x901
> failed other merge 0x2d04b41 0x2404000
> failed user merge 0x2d04b41 0x901
> failed other merge 0x2d04b41 0x2404000
> ERROR processing regexs for profile An.unattached.profile, failed to 
> load
> 
> What do those "failed user/other merge" messages mean, and where in the 
> profile do they come from?
> 

The come from an exec qualifier conflict detected during dfa creation.
In this case it a conflict between the rules

	/foo/** px,
	/foo/* pix, # px with Fallback to ix

which have an overlap of /foo/*

Cleaning this up so that we have the information at this stage for a
good error message, with line numbers etc has been a long standing
goal.  We have made some progress towards fixing this but I doubt I
will finish this work up within the 2.6 time frame.

However we could do a simple improvement on the message so that it outputs
that there have been conflicting overlapping execute permissions qualifiers.

It should be noted that this is happening in this case because its two
overlapping regular expressions, and we don't have support for overlapping
regex dominance yet (this is another part of the dfa engine update, that
is being worked on).

so
	/foo/** px,
	/foo/someconst pix

would work in this situation because we can handle a regex overlapping
an exact match, the parser just can't handle the broader case yet.

More information about the AppArmor mailing list