[pkg-apparmor] Bug#1003158: apparmor: tunables/home seems to have wrong order of variables

Karsten Hilbert Karsten.Hilbert at gmx.net
Fri Jan 7 19:27:59 GMT 2022 

Am Fri, Jan 07, 2022 at 07:42:56PM +0100 schrieb Karsten Hilbert:

> Now on to digging into why my attempt to extend @{HOME}
> did not seem to work ...

This is on Debian Bullseye.

I have relocated homedirs individually:

	root at pireus:/etc/apparmor.d/tunables/home.d# ls -al /home/
	insgesamt 8
	drwxr-xr-x  2 root root 4096  3. Apr 2019  .
	drwxr-xr-x 22 root root 4096  7. Jan 19:03 ..
	lrwxrwxrwx  1 root root   35  3. Apr 2019  brulefa -> /mnt/SEAGATE-DM010-1TB/home.brulefa
	lrwxrwxrwx  1 root root   31  3. Apr 2019  ncq -> /mnt/SEAGATE-DM010-1TB/home.ncq

Apparmor does not seem to extend permissions to link targets
automatically (likely for good reason).

So I traced homedirs from usr.bin.akonadiserver to
tunables/global -> tunables/home -> tunables/home.d ->
tunables/home.d/site.local in which I eventually said

	@{HOME}+=/mnt/SEAGATE-DM010-1TB/home.ncq/ /mnt/SEAGATE-DM010-1TB/home.brulefa/

(which doesn't scale but there's only two users)

This is to be expected:

	root at pireus:/etc/apparmor.d/tunables/home.d# apparmor_parser -Q -d site.local
	Failed to find declaration for: HOME
	AppArmor-Analysefehler f?r site.local in site.local in Zeile 16: variable @{HOME} was not previously declared, but is being assigned additional values

As is this:

	root at pireus:/etc/apparmor.d/tunables# apparmor_parser -Q -d home
	----- Debugging built structures -----
	root at pireus:/etc/apparmor.d/tunables#

and this:

	root at pireus:/etc/apparmor.d/tunables# apparmor_parser -Q -d global
	----- Debugging built structures -----
	root at pireus:/etc/apparmor.d/tunables#

This shows the homedirs having been added:

	root at pireus:/etc/apparmor.d# apparmor_parser -Q -d usr.bin.akonadiserver
	----- Debugging built structures -----
	Name:           /usr/bin/akonadiserver
	Profile Mode:   Complain

	... many lines snipped ...

	Mode:   rwalk:  Name:   ({/home//*//.local/share,/root//.local/share,/mnt/SEAGATE-DM010-1TB/home.ncq//.local/share,/mnt/SEAGATE-DM010-1TB/home.brulefa//.local/share}/akonadi/*)
	        link:   (/**)
	Mode:   rwak:   Name:   ({/home//*//.local/share,/root//.local/share,/mnt/SEAGATE-DM010-1TB/home.ncq//.local/share,/mnt/SEAGATE-DM010-1TB/home.brulefa//.local/share}/akonadi/**)

	... more lines snipped

and it seems to finish without error.

But then:

	root at pireus:/etc/apparmor.d# aa-complain usr.bin.akonadiserver

	ERROR: Values added to a non-existing variable @{HOME}: /mnt/SEAGATE-DM010-1TB/home.ncq/ /mnt/SEAGATE-DM010-1TB/home.brulefa/ in tunables/home.d/site.local
	root at pireus:/etc/apparmor.d#

I can't figure out why this happens.

Karsten
--
GPG  40BE 5B0E C98E 1713 AFA6  5BC0 3BEA AC80 7D4F C89B

More information about the pkg-apparmor-team mailing list