Skip to content

AppArmor.d

Equivalent

roddhjav/apparmor.d

AppArmor.d

roddhjav/apparmor.d

Home
Home
- Home
  Home
- Getting Started
  Getting Started
- Advanced
  Advanced
- Troubleshooting
  Troubleshooting
  - Known issues
  - System Recovery
Security
Security
- Security
  Security
- Security Model
  Security Model
- Implementation
  Implementation
  - Security Architecture
  - Security Hardening
Development
Development
- Development
  Development
  - Roadmap
- Profiles
  Profiles
  - Workflow
  - Guidelines
  - Internal
  - Directives
  - Dbus
  - Recommendations
- Packages
  Packages
  - Building the profiles
- Tests
  Tests
Abstractions
Abstractions
- Abstractions
  Abstractions
- Layers
  Layers
- System
  System
- Specialized
  Specialized
Linter
Linter
- Linter
  Linter
- Security Checks
  Security Checks
- Compatibility Checks
  Compatibility Checks
  - Abi
  - Bin
  - Directory Mark
  - Equivalent Equivalent
    On this page
    
    Problematic rule
    
    Correct rule
    
    Rationale
    
    Exceptions
- Style Checks
  Style Checks

`equivalent`¶

Missing rules to equivalent paths.

Problematic rule¶

# WRONG
@{bin}/grep ix,

Correct rule¶

@{bin}/{,e}grep ix,

Rationale¶

In AppArmor profiles, certain binaries may have equivalent paths that need to be explicitly allowed to ensure proper functionality.

For example, the grep binary can be accessed as both grep and egrep (exec grep -E "$@"). Failing to include rules for all equivalent paths will lead to unexpected denials in some distributions.

The following equivalent paths exist:

@{bin}/awk -> @{bin}/{m,g,}awk
@{bin}/grep -> @{bin}/{,e}grep
@{bin}/gs -> @{bin}/gs{,.bin}
@{bin}/which -> @{bin}/which{,.debianutils}
@{sbin}/xtables-legacy-multi -> @{sbin}/xtables-{nft,legacy}-multi
@{bin}/xtables-nft-multi -> @{sbin}/xtables-{nft,legacy}-multi

Exceptions¶

None