[apparmor] [EXTERNAL] Re: policy variables not working as intended

Ryan Lee ryan.lee at canonical.com
Fri Feb 7 18:36:46 UTC 2025 

Hi Ian,

That is a typo in the apparmor.d man page, and the @{HOME} usage in
the example should not be preceded by a backslash. Thanks for pointing
this out.

Ryan

On Fri, Feb 7, 2025 at 10:28 AM Ian Merin <Ian.Merin at entrust.com> wrote:
>
> That worked!  I swear I tried every possible combination of leading slashes yesterday with no luck, but this format does appear to work for me.
>
>
>
> The reason I did it this way is because the example on https://manpages.ubuntu.com/manpages/focal/man5/apparmor.d.5.html defines
>
>
>
> @{HOME} = /home/*/ /root/
>
> […]
>
> /@{HOME}/.foo_file  rw,
>
>
>
>
>
> Is the example incorrect?
>
>
>
> Thanks,
>
>
>
> Ian
>
>
>
>
>
>
>
> From: Ryan Lee <ryan.lee at canonical.com>
> Sent: Friday, February 7, 2025 1:06 PM
> To: Ian Merin <Ian.Merin at entrust.com>
> Cc: apparmor at lists.ubuntu.com
> Subject: [EXTERNAL] Re: [apparmor] policy variables not working as intended
>
>
>
> Hi Ian, Can you check if the rule @{lib}/**. so* mr, works for you? If so, the issue is that your use of the variable creates a rule that starts with two slashes, which currently isn't collapsed down into a single slash. You can check https: //gitlab. com/apparmor/apparmor/-/issues/450
>
> Hi Ian,
>
> Can you check if the rule
>
> @{lib}/**.so* mr,
>
> works for you?
>
> If so, the issue is that your use of the variable creates a rule that starts with two slashes, which currently isn't collapsed down into a single slash. You can check https://gitlab.com/apparmor/apparmor/-/issues/450 for more information.
>
>
>
> Ryan
>
>
>
> On Fri, Feb 7, 2025 at 9:50 AM Ian Merin <Ian.Merin at entrust.com> wrote:
>
> I’ve looked for documentation on variables to determine if I am using them incorrectly but I cannot find very much information about variables.
>
>
>
> I have created a variable @{lib}=/{,usr/}lib{,64}/
>
>
>
> And created a rule as such
>
>
>
> /@{lib}/**.so* mr,
>
>
>
> This rule appears to do nothing.  If I substitute the value of @{lib} into the rule:
>
>
>
> /{,usr/}lib{,64}/**.so* mr,
>
>
>
> It works exactly as I expect it to.  I have tried every possible combination of slashes for the variable with no luck.  As far as I can tell, on  apparmor and libapparmor v 3.1.2
>
>
>
> Thanks,
>
>
>
> Ian
>
> Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

More information about the AppArmor mailing list