[apparmor] Apparmor profile: custom header file query
Seth Arnold
seth.arnold at canonical.com
Tue Apr 20 00:06:47 UTC 2021
On Mon, Apr 19, 2021 at 11:16:11PM +0530, Murali Selvaraj wrote:
> As per our design , we are applying certain capabilities to all my profiles.
>
> -> created custom include files as follow #include "relative_path"
> @{default_caps}=chown,dac_override,dac_read_search,fowner,fsetid,kill,ipc_lock,sys_nice,setpcap,ipc_owner,sys_ptrace,sys_chroot
>
> -> Adding this header file in the required apparmor profiles.
> #include "relative_path"
> capabilty @{default_caps},
>
> -> While parsing the apparmor profiles into Kernel, observing below errors.
> syntax error, unexpected TOK_EQUALS, expecting TOK_MODE
The set variables in AppArmor aren't a generic text replacement tool,
they're specialized for managing the combinatorial explosion of different
distributions putting 'the same' files in different locations, managing
typical unix usernames in directory structures, etc.
You could get something very similar by making a new abstraction file just
for your capabilities:
path/to/whatever/abstractions/default_service_capabilities:
capability chown dac_override dac_read_search fowner fsetid kill ipc_lock sys_nice setpcap ipc_owner sys_ptrace sys_chroot,
And then in your profiles:
#include "path/to/whatever/abstractions/default_service_capabilities"
I hope this helps.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20210420/fe407690/attachment.sig>
More information about the AppArmor
mailing list