On 10/14/19 8:57 PM, Mikhail Morfikov wrote: > Should the rules in the following test profile count as a profile transitions? > yes those are all unique profile transitions.
> profile test /bin/test {
> /file1 rwl -> /some-file1,
> /file2 rwl -> /some-file2,
> /file3 rwl -> /some-file3,
> /file4 rwl -> /some-file4,
> /file5 rwl -> /some-file5,
> /file6 rwl -> /some-file6,
> /file7 rwl -> /some-file7,
> /file8 rwl -> /some-file8,
> /file9 rwl -> /some-file9,
> /file10 rwl -> /some-file10,
> /file11 rwl -> /some-file11,
> /file12 rwl -> /some-file12,
> /file13 rwl -> /some-file13,
> }
>
> When I try to load this profile, I get:
>
> # apparmor_parser -r test-profile
> Profile test has too many specified profile transitions.
>
Unfortunately apparmor only supports 12 of this style of transition in a
profile atm. There are 2 patch sets in the works to help address this. A
smaller patch that can be backported to older kernels, and userspaces. It
will raise the limit to 28 of this style of transition in a profile.
There is also a larger rework of how the permission set is stored and
accessed in apparmor, that will effectively remove the limit, allowing
for a few billion transitions if your computer can support it. But that
is a much larger patchset and will require a newer release of apparmor.
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
