[apparmor] Apparmor: Query on adding many capabilities in the custom header file

Murali Selvaraj murali.selvaraj2003 at gmail.com
Sat Apr 24 13:46:22 UTC 2021 

Hi John/Seth,

Can you please guide me to resolve the above query on the header file
with enabling many capabilities in the header file?

Thanks
Murali.S

On Thu, Apr 22, 2021 at 9:15 PM Murali Selvaraj
<murali.selvaraj2003 at gmail.com> wrote:
>
> Hi John,
>
> I am still facing below error while parsing the profile.
>
> While parsing profiles sh -x /etc/apparmor/apparmor_parse.sh
> AppArmor parser error for /nvram2/apparmor_boot/usr.bin.test in
> /nvram2/apparmor_boot/usr.bin.test at line 5: syntax error, unexpected
> TOK_SET_VAR, expecting TOK_ID or TOK_END_OF_RULE
>
> murali at linux:/nvram2/apparmor_boot# cat caps/common
> @{default_caps}=chown,dac_override,dac_read_search,fowner,fsetid,kill,ipc_lock,sys_nice,setpcap,pc_owner,sys_ptrace,sys_chroot
>
> #include "/nvram2/apparmor_boot/caps/common"
> profile test /usr/bin/test flags=(attach_disconnected) {
>     capability setuid,
>     capability setgid,
>     capability @{default_caps},  ===>> This line shows syntax error [
> syntax error, unexpected TOK_SET_VAR, expecting TOK_ID or
> TOK_END_OF_RULE ]
>     /sys/devices/system/cpu/online r,
>     /etc/security/* r,
>     /proc/driver/ng1/* rw,
>     /proc/sys/kernel/ngroups_max r,
>     /usr/ccsp/ethagent/ r,
>     /proc/*/comm r,
>     /proc/*/auxv r,
>     /proc/*/cmdline r,
>     /proc/*/environ r,
>     /proc/*/limits r,
>     /proc/*/stat r,
> }
>
> Can you please help us to resolve this error?
>
> Thanks
> Murali.S
>
> On Thu, Apr 22, 2021 at 10:51 AM John Johansen
> <john.johansen at canonical.com> wrote:
> >
> > On 4/20/21 10:01 AM, Murali Selvaraj wrote:
> > > Hi All,
> > >
> > > As per our design , we are applying certain capabilities to all my profiles.
> > >
> > > -> created custom include files as follow in #include "relative_path"
> > >    @{default_caps}=chown,dac_override,dac_read_search,fowner,fsetid,kill,ipc_lock,sys_nice,setpcap,ipc_owner,sys_ptrace,sys_chroot
> > >
> > > -> Adding this header file in the required apparmor profiles.
> > >    #include "relative_path"
> > >    capability @{default_caps},
> > >
> > > -> While parsing the apparmor profiles into Kernel, observing below errors.
> > >    syntax error, unexpected TOK_EQUALS, expecting TOK_MODE
> > >
> > > Can someone help me to clarify the above queries.
> > >
> >
> > At this time variable assignment can not be done in the profile body. It can only appear in the profile header. You need to rework your profile to do
> >
> > include "relative_path"
> >
> > profile example {
> >
> >   capability @{default_caps},
> > }
> >

More information about the AppArmor mailing list