[apparmor] Priority of two matching profiles

John Johansen john.johansen at canonical.com
Sat Mar 8 20:41:47 UTC 2025 

On 3/8/25 05:03, engelflorian at posteo.de wrote:
> Hi,
> 
> What is the priority if two profiles match. E.g. /usr/bin/cat matches on
> profiles /usr/bin/c* and /usr/bin/ca*. What profile is it using?
> 

It is approximately longest left non-glob match wins. It has changed some
over the years, from just being a length hint of how long the left match
is before hitting globbing, to the kernel actually keeping a small buffer,
to provide a more refined match.

So example in order of match order

/usr/bin/example
/usr/bin/*
/usr/bin/**

If we are talking exact match (eg. /usr/bin/example) then the first
exact match wins (match is short circuited), so load order would
matter.

However if there isn't an exact match, a complete search is done
for the best match. If there are two or more with the same best
left match length then there will be a conflict and the exec will
be failed.

> I use Nixos and have generate profiles for all programs which are
> installed by my configuration. I then want to add a default profile
> which is only used if no other profile matches.
> 
> I don't think I can do that wit profile inheritence, because if i switch
> from the default profile it always switches to the systemd profile. If i
> add inheritence to the systemd profile it selects the default profile
> and not the more specific ones
> 

ix, or inheritance fallback really only works for this if you are using
stacking, because ix default to the current confinement, not a default.
ix is transition that's primary use is role based profiles.

The stacking I mentioned is probably not what you want either, as having
multiple profiles on an application can get messy.


> I tried it with a config like this
> ```

so /nix/store/ ...  has priority over default /**

> profile /nix/store/***-systemd/**  flags=(attach_disconnected) {
>    # allow everything
>    capability,
>    network,
>    mount,
>    remount,
>    umount,
>    pivot_root,
>    ptrace,
>    signal,
>    dbus,
>    unix,
>    file,
> }
> ...
> profile default /** flags=(attach_disconnected) {
>    capability,
>    network,
>    mount,
>    remount,
>    umount,
>    pivot_root,
>    ptrace,
>    signal,
>    dbus,
>    unix,
>    file,
> 
>    # Deny some sensitive files
>    deny /home/florian/.ssh/{,**} mrwlk,
>    }
> ```

More information about the AppArmor mailing list