Profile name length limitation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Confirmed
|
Low
|
Unassigned | ||
Canonical Click Reviewers tools (obsolete) |
Fix Released
|
Undecided
|
Jamie Strandboge |
Bug Description
The max profile name length is supposed to be (PATH_MAX - 1). However, there seems to be some sort of unintended limitation in place that is restricting it to 253 chars:
$ name=a; while [ $? -eq 0 ]; do prof="profile $name {}"; echo "$prof" | sudo apparmor_parser -qa && echo "$prof" | sudo apparmor_parser -qR && name=${name}a; done; echo "$name" | wc -m
apparmor_parser: Unable to add "aaaaaaaaaaaaaa
253
That command should result in the value of (PATH_MAX - 1) being printed.
$ apparmor_parser -V
AppArmor parser version 2.9.1
Copyright (C) 1999-2008 Novell Inc.
Copyright 2009-2012 Canonical Ltd.
$ uname -a
Linux boyd 3.19.0-28-generic #30-Ubuntu SMP Mon Aug 31 15:52:51 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
description: | updated |
Changed in click-reviewers-tools: | |
status: | New → Fix Committed |
assignee: | nobody → Jamie Strandboge (jdstrand) |
tags: | added: aa-kernel aa-parser |
We should also verify that profile names of whatever length are accepted in all APIs: aa_change_hat(), aa_change_ profile( ), etc may have their own limits. And once we sort this out we should clearly document the size limits in apparmor.d(5).
Thanks