Bug #1964853 “various generic and specific x rule conflicts when…” : Bugs : AppArmor

We have the following relevant rules in our apparmor profile when you install the docker snap with –devmode (and some k8s related snaps too like microk8s):

change_profile unsafe /** -> docker-default,
change_profile unsafe /** -> cri-containerd.apparmor.d,
change_profile unsafe /**,
/** rwlix,

Recently, we needed to also add the following rules to the profile which breaks compiling the profile (using apparmor_parser from impish):

/snap/core/*/usr/lib/snapd/snap-confine Pxr -> /snap/core/12894/usr/lib/snapd/snap-confine,
/snap/snapd/*/usr/lib/snapd/snap-confine Pxr -> /snap/snapd/x1/usr/lib/snapd/snap-confine,

When we add these rules to the profile it can no longer be compiled because the rwlix rule for everything will conflict with the Pxr rules we have for those specific snap-confine paths.

What I had to do to get this profile to compile was actually to replace all the existing 4 rules in the profile with /** with extremely verbose/specific AARE patterns which exclude the snap-confine paths. This then compiles, but only when I replace all 4 rules with the set of rules. See PR in snapd for a full example https://github.com/snapcore/snapd/pull/11503.

jj mentioned this is likely a bug in the parser, possibly in the kernel.

Read more here: Source link