** Description changed: From https://gitlab.com/apparmor/apparmor/-/merge_requests/1803: - In AppArmor policy, unix addresses must start with @, and when + In AppArmor policy, unix addresses must start with @, and when trying to use alternations {.,.}, the parser would confuse that with an invalid variable, rightfully so. The problem is that this was supported in previous versions of the parser, so in order to not regress behavior, we are accepting such strings. + + In AppArmor 4.x, a rule of the form + + unix connect peer=(addr="@{alt1,alt2}-test"), + + would parse as a literal @ followed by either alt1 or alt2, with + abstract socket addresses having to start with @. However, @{var} is + also the syntax used to specify variables, and stricter checking for + variables led to the above erroring as an invalid variable. While the + proper syntax should be escaping the @ with \@{alt1,alt2}, existing + policy relies on the previous behavior, so it should be restored into + AppArmor 5.x.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2126450 Title: AppArmor Unix socket rules need to be able to support addr=@{a,b} variable usage Status in apparmor package in Ubuntu: New Bug description: From https://gitlab.com/apparmor/apparmor/-/merge_requests/1803: In AppArmor policy, unix addresses must start with @, and when trying to use alternations {.,.}, the parser would confuse that with an invalid variable, rightfully so. The problem is that this was supported in previous versions of the parser, so in order to not regress behavior, we are accepting such strings. In AppArmor 4.x, a rule of the form unix connect peer=(addr="@{alt1,alt2}-test"), would parse as a literal @ followed by either alt1 or alt2, with abstract socket addresses having to start with @. However, @{var} is also the syntax used to specify variables, and stricter checking for variables led to the above erroring as an invalid variable. While the proper syntax should be escaping the @ with \@{alt1,alt2}, existing policy relies on the previous behavior, so it should be restored into AppArmor 5.x. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2126450/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
