[apparmor] file rule not working

Sun Aug 17 16:15:49 UTC 2025

Hi All!

I'm trying to unterstand why my file deny rule does not work.

I call
vim /home/florian/.my-bookmarks.json
And its open

I expect apparmor to deny that
sudo aa-status says
/nix/store/x9y5la4rs81rkcghxi6h7kka1qrrcla8-vim-9.1.1566/bin/vim (11739) /nix/store/x9y5la4rs81rkcghxi6h7kka1qrrcla8-vim-9.1.1566/bin/*

The corresponding profile is
/nix/store/x9y5la4rs81rkcghxi6h7kka1qrrcla8-vim-9.1.1566/bin/* {
   # Allow other processes to read our /proc entries, futexes, perf tracing and
# kcmp for now (they will need 'read' in the first place). Administrators can
# override with:
#   deny ptrace (readby) ...
ptrace (readby),

# Allow unconfined processes to send us signals by default
signal (receive) peer=unconfined,

# Allow us to signal ourselves
signal peer=@{profile_name},

# Allow us to ptrace read ourselves
ptrace (read) peer=@{profile_name},

file,
audit deny /home/florian/.ssh mrwlkx,
audit deny /home/florian/.ssh/{,**} mrwlkx,
audit deny /root/.ssh mrwlkx,
audit deny /root/.ssh/{,**} mrwlkx,
audit deny /home/florian/.gnupg mrwlkx,
audit deny /home/florian/.gnupg/{,**} mrwlkx,
audit deny /root/.gnupg mrwlkx,
audit deny /root/.gnupg/{,**} mrwlkx,
audit deny /home/florian/Dokumente mrwlkx,
audit deny /home/florian/Dokumente/{,**} mrwlkx,
audit deny /home/florian/paperlessInput mrwlkx,
audit deny /home/florian/paperlessInput/{,**} mrwlkx,
audit deny /var/lib/paperless mrwlkx,
audit deny /var/lib/paperless/{,**} mrwlkx,
audit deny /home/florian/.password-store mrwlkx,
audit deny /home/florian/.password-store/{,**} mrwlkx,
audit deny /home/florian/.mozilla mrwlkx,
audit deny /home/florian/.mozilla/{,**} mrwlkx,
audit deny /home/florian/Maildir mrwlkx,
audit deny /home/florian/Maildir/{,**} mrwlkx,
audit deny /home/florian/.authinfo mrwlkx,
audit deny /home/florian/.authinfo/{,**} mrwlkx,
audit deny /home/florian/.authinfo.gpg mrwlkx,
audit deny /home/florian/.authinfo.gpg/{,**} mrwlkx,
audit deny /run/agenix/backblaze-restic mrwlkx,
audit deny /run/agenix/backblaze-restic/{,**} mrwlkx,
audit deny /home/florian/.my-bookmarks.json mrwlkx,
audit deny /home/florian/.my-bookmarks.json/{,**} mrwlkx,
audit deny /run/agenix/florian mrwlkx,
audit deny /run/agenix/florian/{,**} mrwlkx,
audit deny /run/agenix/github-token mrwlkx,
audit deny /run/agenix/github-token/{,**} mrwlkx,
audit deny /run/agenix/gmail mrwlkx,
audit deny /run/agenix/gmail/{,**} mrwlkx,
audit deny /run/agenix/librem mrwlkx,
audit deny /run/agenix/librem/{,**} mrwlkx,
audit deny /run/agenix/notmuchTags mrwlkx,
audit deny /run/agenix/notmuchTags/{,**} mrwlkx,
audit deny /run/agenix/officeOvpn mrwlkx,
audit deny /run/agenix/officeOvpn/{,**} mrwlkx,
audit deny /run/agenix/posteo mrwlkx,
audit deny /run/agenix/posteo/{,**} mrwlkx,
audit deny /run/agenix/restic-password mrwlkx,
audit deny /run/agenix/restic-password/{,**} mrwlkx,
audit deny /run/agenix/syncthingCert mrwlkx,
audit deny /run/agenix/syncthingCert/{,**} mrwlkx,
audit deny /run/agenix/syncthingKey mrwlkx,
audit deny /run/agenix/syncthingKey/{,**} mrwlkx,
audit deny /run/agenix/thinkpadWireguardPrivate mrwlkx,
audit deny /run/agenix/thinkpadWireguardPrivate/{,**} mrwlkx,
audit deny /run/agenix/vpnPresharedKey mrwlkx,
audit deny /run/agenix/vpnPresharedKey/{,**} mrwlkx,
audit deny /run/agenix/vpnPrivateKey mrwlkx,
audit deny /run/agenix/vpnPrivateKey/{,**} mrwlkx,
audit deny /run/agenix/workMail mrwlkx,
audit deny /run/agenix/workMail/{,**} mrwlkx,

network,
capability,

}

For directories like /home/florian/.ssh the deny does work.

If I copy only that profile into a nixos vm where there are much less
profiles, the deny does also work.

Are there some limits on the size of files in /etc/apparmor.d? The rule
is in a file with 86 profiles and 7012 lines.

Thanks in advance
Florian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 519 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20250817/a90b1099/attachment.sig>