apparmor wildcard profile with globbing

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












I am running Ubuntu 16.04 with apparmor 2.10.95-0ubuntu2.7. I often need to comment on software of dubious quality. I want to employ apparmor to guard my system from harm.



I created an apparmor wildcard profile like this:



/home/username/testing/** 
somerules



Unfortunately, this profile has no effect. It works as expected as soon as I put the exact path without a wildcard:



/home/username/testing/client42/executable 
somerules



On the manpage, it looks like globbing is supported for profiles:



PROFILE = ( PROFILE HEAD ) [ ATTACHMENT SPECIFICATION ] [ PROFILE FLAG CONDS ] '' ( RULES )* ''
PROFILE HEAD = [ 'profile' ] FILEGLOB | 'profile' PROFILE NAME


This wiki article says so, too. There even is a user reporting success.



What am I missing?

Do wildcards in profiles need to be explicitly enabled in a configuration file?

Is globbing disabled in the Ubuntu build?







share|improve this question


























    up vote
    2
    down vote

    favorite












    I am running Ubuntu 16.04 with apparmor 2.10.95-0ubuntu2.7. I often need to comment on software of dubious quality. I want to employ apparmor to guard my system from harm.



    I created an apparmor wildcard profile like this:



    /home/username/testing/** 
    somerules



    Unfortunately, this profile has no effect. It works as expected as soon as I put the exact path without a wildcard:



    /home/username/testing/client42/executable 
    somerules



    On the manpage, it looks like globbing is supported for profiles:



    PROFILE = ( PROFILE HEAD ) [ ATTACHMENT SPECIFICATION ] [ PROFILE FLAG CONDS ] '' ( RULES )* ''
    PROFILE HEAD = [ 'profile' ] FILEGLOB | 'profile' PROFILE NAME


    This wiki article says so, too. There even is a user reporting success.



    What am I missing?

    Do wildcards in profiles need to be explicitly enabled in a configuration file?

    Is globbing disabled in the Ubuntu build?







    share|improve this question
























      up vote
      2
      down vote

      favorite









      up vote
      2
      down vote

      favorite











      I am running Ubuntu 16.04 with apparmor 2.10.95-0ubuntu2.7. I often need to comment on software of dubious quality. I want to employ apparmor to guard my system from harm.



      I created an apparmor wildcard profile like this:



      /home/username/testing/** 
      somerules



      Unfortunately, this profile has no effect. It works as expected as soon as I put the exact path without a wildcard:



      /home/username/testing/client42/executable 
      somerules



      On the manpage, it looks like globbing is supported for profiles:



      PROFILE = ( PROFILE HEAD ) [ ATTACHMENT SPECIFICATION ] [ PROFILE FLAG CONDS ] '' ( RULES )* ''
      PROFILE HEAD = [ 'profile' ] FILEGLOB | 'profile' PROFILE NAME


      This wiki article says so, too. There even is a user reporting success.



      What am I missing?

      Do wildcards in profiles need to be explicitly enabled in a configuration file?

      Is globbing disabled in the Ubuntu build?







      share|improve this question














      I am running Ubuntu 16.04 with apparmor 2.10.95-0ubuntu2.7. I often need to comment on software of dubious quality. I want to employ apparmor to guard my system from harm.



      I created an apparmor wildcard profile like this:



      /home/username/testing/** 
      somerules



      Unfortunately, this profile has no effect. It works as expected as soon as I put the exact path without a wildcard:



      /home/username/testing/client42/executable 
      somerules



      On the manpage, it looks like globbing is supported for profiles:



      PROFILE = ( PROFILE HEAD ) [ ATTACHMENT SPECIFICATION ] [ PROFILE FLAG CONDS ] '' ( RULES )* ''
      PROFILE HEAD = [ 'profile' ] FILEGLOB | 'profile' PROFILE NAME


      This wiki article says so, too. There even is a user reporting success.



      What am I missing?

      Do wildcards in profiles need to be explicitly enabled in a configuration file?

      Is globbing disabled in the Ubuntu build?









      share|improve this question













      share|improve this question




      share|improve this question








      edited Jan 5 at 9:29

























      asked Jan 4 at 11:50









      Hermann

      49129




      49129




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          2
          down vote



          accepted










          Tinkering around with this problem today, I found the wildcard profile working as expected after a reboot. It looks like setting the profile to enforce mode with aa-enforce /etc/apparmor.d/<profile> or reloading the profile with apparmor_parser -r /etc/apparmor.d/<profile> as described here and here is not sufficient for wildcard profiles. I am unsure if reloading the service via systemctl reload apparmor is sufficient to activate the wildcard profile, but a system restart definitely is.






          share|improve this answer




















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );








             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f414755%2fapparmor-wildcard-profile-with-globbing%23new-answer', 'question_page');

            );

            Post as a guest






























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            2
            down vote



            accepted










            Tinkering around with this problem today, I found the wildcard profile working as expected after a reboot. It looks like setting the profile to enforce mode with aa-enforce /etc/apparmor.d/<profile> or reloading the profile with apparmor_parser -r /etc/apparmor.d/<profile> as described here and here is not sufficient for wildcard profiles. I am unsure if reloading the service via systemctl reload apparmor is sufficient to activate the wildcard profile, but a system restart definitely is.






            share|improve this answer
























              up vote
              2
              down vote



              accepted










              Tinkering around with this problem today, I found the wildcard profile working as expected after a reboot. It looks like setting the profile to enforce mode with aa-enforce /etc/apparmor.d/<profile> or reloading the profile with apparmor_parser -r /etc/apparmor.d/<profile> as described here and here is not sufficient for wildcard profiles. I am unsure if reloading the service via systemctl reload apparmor is sufficient to activate the wildcard profile, but a system restart definitely is.






              share|improve this answer






















                up vote
                2
                down vote



                accepted







                up vote
                2
                down vote



                accepted






                Tinkering around with this problem today, I found the wildcard profile working as expected after a reboot. It looks like setting the profile to enforce mode with aa-enforce /etc/apparmor.d/<profile> or reloading the profile with apparmor_parser -r /etc/apparmor.d/<profile> as described here and here is not sufficient for wildcard profiles. I am unsure if reloading the service via systemctl reload apparmor is sufficient to activate the wildcard profile, but a system restart definitely is.






                share|improve this answer












                Tinkering around with this problem today, I found the wildcard profile working as expected after a reboot. It looks like setting the profile to enforce mode with aa-enforce /etc/apparmor.d/<profile> or reloading the profile with apparmor_parser -r /etc/apparmor.d/<profile> as described here and here is not sufficient for wildcard profiles. I am unsure if reloading the service via systemctl reload apparmor is sufficient to activate the wildcard profile, but a system restart definitely is.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Jan 5 at 10:26









                Hermann

                49129




                49129






















                     

                    draft saved


                    draft discarded


























                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f414755%2fapparmor-wildcard-profile-with-globbing%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?