** Description changed: From https://gitlab.com/apparmor/apparmor/-/merge_requests/1803: In AppArmor policy, abstract unix addresses must start with @. When trying to use alternations {.,.} at the start of an abstract address name, the @ and the alternation {.,.} would form an invalid variable name @{.,.}. AppArmor 5 added stricter checking around variables, and the addition checks catches this as the @ followed by an alternation as an invalid variable. Unfortunately this combination was supported in previous versions of the - parser, and in use in snapd policy, so in order to not regress behavior, - we are accepting such strings, using the previous behavior. + parser and is used in snapd policy. In order to not regress behavior, we + will have to accept such strings using the previous behavior. Specifically in AppArmor 4.x, a rule of the form unix connect peer=(addr="@{alt1,alt2}-test"), would parse as a literal @ followed by either alt1 or alt2, with abstract socket addresses having to start with @. Restore this behavior in AppArmor 5 by allowing it to detect the invalid variable and treat it as an @ followed by an alternation.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2126450 Title: AppArmor Unix socket rules need to be able to support addr=@{a,b} variable usage Status in apparmor package in Ubuntu: New Bug description: From https://gitlab.com/apparmor/apparmor/-/merge_requests/1803: In AppArmor policy, abstract unix addresses must start with @. When trying to use alternations {.,.} at the start of an abstract address name, the @ and the alternation {.,.} would form an invalid variable name @{.,.}. AppArmor 5 added stricter checking around variables, and the addition checks catches this as the @ followed by an alternation as an invalid variable. Unfortunately this combination was supported in previous versions of the parser and is used in snapd policy. In order to not regress behavior, we will have to accept such strings using the previous behavior. Specifically in AppArmor 4.x, a rule of the form unix connect peer=(addr="@{alt1,alt2}-test"), would parse as a literal @ followed by either alt1 or alt2, with abstract socket addresses having to start with @. Restore this behavior in AppArmor 5 by allowing it to detect the invalid variable and treat it as an @ followed by an alternation. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2126450/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
