Fix AppArmor 3.0 support (closes #3659) #3660
Conversation
If the abstractions are using the @{run} variable, isn't that a bug in these abstractions and would be better addressed there?
Ubuntu 18.04 LTS still ships with 2.12. Though I could patch it when uploading to the PPA. |
|
@reinerh The two examples of So most likely |
AppArmor introduces the @{run} variable, which is used in
<abstractions/dbus-strict> and <abstractions/dbus-session-strict> among
other places. Thus, we follow suit of the built-in profiles and #include
<tunables/global>, which includes <tunables/run> in AppArmor 3.0,
defining the variable.
As <tunables/global> exists in previous versions of AppArmor, too, this
patch does not introduce a backward-compatibility issue with Apparmor
2.x.
AppArmor introduces the @{run} variable, which is used in
<abstractions/dbus-strict> and <abstractions/dbus-session-strict> among
other places. Thus, we must #include <tunables/run> to be able to call
these abstractions.
Standard profiles rely on <tunables/global> to include <tunables/run>, since it exists in previous AppArmor versions, too.
As an attempt at backwards compatibility, we #include if exists insteadof #include, since there is no <tunables/run> in AppArmor 2.x.
However, if exists is a relatively new feature, see e.g.https://phabricator.kde.org/D14526
(However, do note that if exists does not appear as a new feature in
https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.13).
Therefore, this commit restricts our compatibility to relatively new
(<10 months) old AppArmor releases only.
As an alternative, we could detect the AppArmor version at configuretime, and emit a firejail-default profile based on that.
Here, I opted for the simpler approach, as distributions likely to ship >10 months old AppArmor (Debian) support Firejail on their own via backports (according to https://github.com/netblue30/firejail/security/policy), anyways.