apparmor wildcard profile with globbing
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
I am running Ubuntu 16.04 with apparmor 2.10.95-0ubuntu2.7. I often need to comment on software of dubious quality. I want to employ apparmor to guard my system from harm.
I created an apparmor wildcard profile like this:
/home/username/testing/**
somerules
Unfortunately, this profile has no effect. It works as expected as soon as I put the exact path without a wildcard:
/home/username/testing/client42/executable
somerules
On the manpage, it looks like globbing is supported for profiles:
PROFILE = ( PROFILE HEAD ) [ ATTACHMENT SPECIFICATION ] [ PROFILE FLAG CONDS ] '' ( RULES )* ''
PROFILE HEAD = [ 'profile' ] FILEGLOB | 'profile' PROFILE NAME
This wiki article says so, too. There even is a user reporting success.
What am I missing?
Do wildcards in profiles need to be explicitly enabled in a configuration file?
Is globbing disabled in the Ubuntu build?
ubuntu wildcards apparmor
add a comment |Â
up vote
2
down vote
favorite
I am running Ubuntu 16.04 with apparmor 2.10.95-0ubuntu2.7. I often need to comment on software of dubious quality. I want to employ apparmor to guard my system from harm.
I created an apparmor wildcard profile like this:
/home/username/testing/**
somerules
Unfortunately, this profile has no effect. It works as expected as soon as I put the exact path without a wildcard:
/home/username/testing/client42/executable
somerules
On the manpage, it looks like globbing is supported for profiles:
PROFILE = ( PROFILE HEAD ) [ ATTACHMENT SPECIFICATION ] [ PROFILE FLAG CONDS ] '' ( RULES )* ''
PROFILE HEAD = [ 'profile' ] FILEGLOB | 'profile' PROFILE NAME
This wiki article says so, too. There even is a user reporting success.
What am I missing?
Do wildcards in profiles need to be explicitly enabled in a configuration file?
Is globbing disabled in the Ubuntu build?
ubuntu wildcards apparmor
add a comment |Â
up vote
2
down vote
favorite
up vote
2
down vote
favorite
I am running Ubuntu 16.04 with apparmor 2.10.95-0ubuntu2.7. I often need to comment on software of dubious quality. I want to employ apparmor to guard my system from harm.
I created an apparmor wildcard profile like this:
/home/username/testing/**
somerules
Unfortunately, this profile has no effect. It works as expected as soon as I put the exact path without a wildcard:
/home/username/testing/client42/executable
somerules
On the manpage, it looks like globbing is supported for profiles:
PROFILE = ( PROFILE HEAD ) [ ATTACHMENT SPECIFICATION ] [ PROFILE FLAG CONDS ] '' ( RULES )* ''
PROFILE HEAD = [ 'profile' ] FILEGLOB | 'profile' PROFILE NAME
This wiki article says so, too. There even is a user reporting success.
What am I missing?
Do wildcards in profiles need to be explicitly enabled in a configuration file?
Is globbing disabled in the Ubuntu build?
ubuntu wildcards apparmor
I am running Ubuntu 16.04 with apparmor 2.10.95-0ubuntu2.7. I often need to comment on software of dubious quality. I want to employ apparmor to guard my system from harm.
I created an apparmor wildcard profile like this:
/home/username/testing/**
somerules
Unfortunately, this profile has no effect. It works as expected as soon as I put the exact path without a wildcard:
/home/username/testing/client42/executable
somerules
On the manpage, it looks like globbing is supported for profiles:
PROFILE = ( PROFILE HEAD ) [ ATTACHMENT SPECIFICATION ] [ PROFILE FLAG CONDS ] '' ( RULES )* ''
PROFILE HEAD = [ 'profile' ] FILEGLOB | 'profile' PROFILE NAME
This wiki article says so, too. There even is a user reporting success.
What am I missing?
Do wildcards in profiles need to be explicitly enabled in a configuration file?
Is globbing disabled in the Ubuntu build?
ubuntu wildcards apparmor
edited Jan 5 at 9:29
asked Jan 4 at 11:50
Hermann
49129
49129
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
2
down vote
accepted
Tinkering around with this problem today, I found the wildcard profile working as expected after a reboot. It looks like setting the profile to enforce mode with aa-enforce /etc/apparmor.d/<profile>
or reloading the profile with apparmor_parser -r /etc/apparmor.d/<profile>
as described here and here is not sufficient for wildcard profiles. I am unsure if reloading the service via systemctl reload apparmor
is sufficient to activate the wildcard profile, but a system restart definitely is.
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
accepted
Tinkering around with this problem today, I found the wildcard profile working as expected after a reboot. It looks like setting the profile to enforce mode with aa-enforce /etc/apparmor.d/<profile>
or reloading the profile with apparmor_parser -r /etc/apparmor.d/<profile>
as described here and here is not sufficient for wildcard profiles. I am unsure if reloading the service via systemctl reload apparmor
is sufficient to activate the wildcard profile, but a system restart definitely is.
add a comment |Â
up vote
2
down vote
accepted
Tinkering around with this problem today, I found the wildcard profile working as expected after a reboot. It looks like setting the profile to enforce mode with aa-enforce /etc/apparmor.d/<profile>
or reloading the profile with apparmor_parser -r /etc/apparmor.d/<profile>
as described here and here is not sufficient for wildcard profiles. I am unsure if reloading the service via systemctl reload apparmor
is sufficient to activate the wildcard profile, but a system restart definitely is.
add a comment |Â
up vote
2
down vote
accepted
up vote
2
down vote
accepted
Tinkering around with this problem today, I found the wildcard profile working as expected after a reboot. It looks like setting the profile to enforce mode with aa-enforce /etc/apparmor.d/<profile>
or reloading the profile with apparmor_parser -r /etc/apparmor.d/<profile>
as described here and here is not sufficient for wildcard profiles. I am unsure if reloading the service via systemctl reload apparmor
is sufficient to activate the wildcard profile, but a system restart definitely is.
Tinkering around with this problem today, I found the wildcard profile working as expected after a reboot. It looks like setting the profile to enforce mode with aa-enforce /etc/apparmor.d/<profile>
or reloading the profile with apparmor_parser -r /etc/apparmor.d/<profile>
as described here and here is not sufficient for wildcard profiles. I am unsure if reloading the service via systemctl reload apparmor
is sufficient to activate the wildcard profile, but a system restart definitely is.
answered Jan 5 at 10:26
Hermann
49129
49129
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f414755%2fapparmor-wildcard-profile-with-globbing%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password