mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-22 10:07:12 +00:00
d4a76c456d
Unconfined delegates access to open file descriptors. Therefore when running a confined binary from unconfined, it will work even when the attachment path is not read-allowed. However, as soon as these confined binaries are run from another confined process, this delegation is not permitted anymore and the program breaks. This has been the cause of several bugs such as https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2107455 or https://github.com/canonical/snapd/pull/15181 . This MR makes sure every confining AppArmor profiles explicitly allow (at least) read access to their attachment path. This Merge request: - Introduce `test_profile.sh`, a helper script that ensures confining AppArmor profiles explicitly allow (at least) read access to their attachment path. - Modifies a lot of profiles so that all profiles have r/mr access to their attachment path - Extends `make check` to automatically ensure all AppArmor profile grant explicit read access to their attachment path, preventing future omissions. - Modifies apparmor_parser to show attachment in --debug output MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1637 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
Known Bugs: Will allow multiple letters in the () due to translation/unicode issues with regexing the key. User input will probably bug out in a different locale.