Skip to content

3.0.1: apparmor parser tries to load profiles in wrong order

This is a regression compared to 2.13 parser.

I have profile

/etc/apparmor.d/usr.sbin.myapp

which is main profile for app:

#include <tunables/global>

/usr/sbin/myapp flags=(attach_disconnected) {
  #include <abstractions/base>
[...]
}

and few thousands hats for it, each in separate file like:

/etc/apparmor.d/usr.sbin.myapp-301374
/etc/apparmor.d/usr.sbin.myapp-301386
/etc/apparmor.d/usr.sbin.myapp-301387
[over 7k of these]

and each usr.sbin.myapp-XYZ file looks like this:

#include <tunables/global>

hat /usr/sbin/myapp//HAT_298825 {
...]
}

apparmor_parser tries to load in parallel (8 cores cpu here) but does that in wrong order

# /etc/init.d/apparmor stop; rm -rf /var/cache/apparmor/*; /sbin/apparmor_parser -vvv --add -- /etc/apparmor.d 2>&1 | tee log2
Stopping apparmor service......................................................................................................................................................................................................[ WORK ]
/sbin/apparmor_parser: Unable to add "/usr/sbin/myapp//HAT_302054".  Profile doesn't exist
/sbin/apparmor_parser: Unable to add "/usr/sbin/myapp//HAT_302040".  Profile doesn't exist
/sbin/apparmor_parser: Unable to add "/usr/sbin/myapp//HAT_302071".  Profile doesn't exist
/sbin/apparmor_parser: Unable to add "/usr/sbin/myapp//HAT_301286".  Profile doesn't exist
/sbin/apparmor_parser: Unable to add "/usr/sbin/myapp//HAT_298825".  Profile doesn't exist
/sbin/apparmor_parser: Unable to add "/usr/sbin/myapp//HAT_302155".  Profile doesn't exist
/sbin/apparmor_parser: Unable to add "/usr/sbin/myapp//HAT_301273".  Profile doesn't exist
/sbin/apparmor_parser: Unable to add "/usr/sbin/myapp//HAT_134295".  Profile doesn't exist
/sbin/apparmor_parser: Unable to add "/usr/sbin/myapp//HAT_192383".  Profile doesn't exist
/sbin/apparmor_parser: Unable to add "/usr/sbin/myapp//HAT_25042".  Profile doesn't exist
/sbin/apparmor_parser: Unable to add "/usr/sbin/myapp//HAT_301341".  Profile doesn't exist
/sbin/apparmor_parser: Unable to add "/usr/sbin/myapp//HAT_302226".  Profile doesn't exist
/sbin/apparmor_parser: Unable to add "/usr/sbin/myapp//HAT_302052".  Profile doesn't exist
/sbin/apparmor_parser: Unable to add "/usr/sbin/myapp//HAT_302031".  Profile doesn't exist
/sbin/apparmor_parser: Unable to add "/usr/sbin/myapp//HAT_302169".  Profile doesn't exist
/sbin/apparmor_parser: Unable to add "/usr/sbin/myapp//HAT_301357".  Profile doesn't exist
/sbin/apparmor_parser: Unable to add "/usr/sbin/myapp//HAT_301386".  Profile doesn't exist
Addition succeeded for "SOMEHAT".
Addition succeeded for "HAT_no_access".
Addition succeeded for "/usr/sbin/myapp".                     <---------- main profile
Addition succeeded for "/usr/sbin/myapp//HAT_301374".
Addition succeeded for "/usr/sbin/myapp//HAT_302228".
[...]

parser should load main profile first and then hats but... how it will know which is which without looking into all profile files.

Some filename based ordering could be implemented.

Edited by arekm