The deny modifier has been fixed in the 2.11 parser. However, the audit
modifier is not properly supported by the backend permission format and
will result in equality.sh failing
With the above patch to equality.sh, the failures all involve audit
which is being silently dropped in permission encoding:
Binary inequality audit, deny, and audit deny modifiers for "change_profile ->
unconfined"
FAIL: Hash values match
known-good (e01d6f3ba173df734864ab965521e195) == profile-under-test
(e01d6f3ba173df734864ab965521e195) for the following profile:
/t { audit change_profile -> unconfined, }
Binary inequality audit, deny, and audit deny modifiers for "change_profile ->
unconfined"
FAIL: Hash values match
known-good (e01d6f3ba173df734864ab965521e195) == profile-under-test
(e01d6f3ba173df734864ab965521e195) for the following profile:
/t { audit allow change_profile -> unconfined, }
.Binary inequality deny and audit deny modifiers for "change_profile ->
unconfined"
FAIL: Hash values match
known-good (0f104a93d8f001f0f780702c8ff255b7) == profile-under-test
(0f104a93d8f001f0f780702c8ff255b7) for the following profile:
/t { audit deny change_profile -> unconfined, }
..Binary inequality audit, deny, and audit deny modifiers for "change_profile
-> /**"
FAIL: Hash values match
known-good (df13fc0410c7ea6bce4c4ef14cfd504d) == profile-under-test
(df13fc0410c7ea6bce4c4ef14cfd504d) for the following profile:
/t { audit change_profile -> /**, }
Binary inequality audit, deny, and audit deny modifiers for "change_profile ->
/**"
FAIL: Hash values match
known-good (df13fc0410c7ea6bce4c4ef14cfd504d) == profile-under-test
(df13fc0410c7ea6bce4c4ef14cfd504d) for the following profile:
/t { audit allow change_profile -> /**, }
.Binary inequality deny and audit deny modifiers for "change_profile -> /**"
FAIL: Hash values match
known-good (0f104a93d8f001f0f780702c8ff255b7) == profile-under-test
(0f104a93d8f001f0f780702c8ff255b7) for the following profile:
/t { audit deny change_profile -> /**, }
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1446794
Title:
parser error with 'deny change_profile'
Status in apparmor package in Ubuntu:
Triaged
Bug description:
$ echo 'profile foo { deny change_profile -> unconfined, }' | apparmor_parser
-p
Warning from stdin (line 1): apparmor_parser: cannot use or update cache,
disable, or force-complain via stdin
AppArmor parser error, in stdin line 1: syntax error, unexpected
TOK_CHANGE_PROFILE, expecting TOK_ID or TOK_MODE or TOK_SET_VAR
profile foo { deny change_profile[1]
$ echo 'profile foo { deny change_profile -> /**, }' | apparmor_parser -p
Warning from stdin (line 1): apparmor_parser: cannot use or update cache,
disable, or force-complain via stdin
AppArmor parser error, in stdin line 1: syntax error, unexpected
TOK_CHANGE_PROFILE, expecting TOK_ID or TOK_MODE or TOK_SET_VAR
profile foo { deny change_profile[1]
$ echo 'profile foo { deny change_profile -> {unconfined,/**}, }' |
apparmor_parser -p
Warning from stdin (line 1): apparmor_parser: cannot use or update cache,
disable, or force-complain via stdin
AppArmor parser error, in stdin line 1: syntax error, unexpected
TOK_CHANGE_PROFILE, expecting TOK_ID or TOK_MODE or TOK_SET_VAR
profile foo { deny change_profile[1]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1446794/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
