man profile

[jonleivent]

My understanding of AppArmor is pretty rudimentary at this point...

Your man profile has many Cx transitions to either man_groff or man_filter. However, if my meager understanding of AppArmor is correct, those profiles are not its children. They are defined in the same file, but outside the scope of the primary man profile without "//" qualifiers on their names, hence global. How does this work? Aren't man_groff and man_filter only reachable by Px transitions?

Also, what should users of this project do to segregate profiles that are packaged with their distro from the ones you provide? I'm using debian, which has a usr.bin.man profile that differs from yours. The packaged debian usr.bin.man profile appears to use stacking ("&" transitions), but has a similar Cx transition issue as your man profile which doesn't use stacking. Maybe both are broken because of the Cx transitions with no matching children? But, even if they both work, do I backup my distros provided profiles first and remove them from /etc/apparmor.d prior to installing yours? Or do you use profile namespaces somehow to keep them separate?

[roddhjav]

First the man profile has a lot of issues and does not work has indented. So I may even remove it, as the default profile still do the job.
The issues may come from the small variations there are between the transitions. In this context, because the called profile is in the same file, the transition is a Cx transition. (Now, I cannot find the source where I remember reading this, so don't quote me on this please...).

The Debian packaging manages the profiles overwriting from the distribution profile. See debian/apparmor.d.hide. So you will not have conflict and you have nothing to do.

[jonleivent]

@roddhjav
The existence of the usr.bin.man profile in the distros indicates you're right about cx transitions, but I'd really like to see where that rule is about cx transitions, as it seems to contradict what I read here:
https://gitlab.com/apparmor/apparmor/-/wikis/QuickProfileLanguage#child-profiles
but this is a bit ambiguous, admittedly. However, I thought I also read elsewhere that having multiple top-level profiles in the same file isn't treated any differently than if they are in different files - but I can't remember where I read that. So, we're even :)

[jonleivent]

I tried a test with a Cx rule transitioning to a named top-level profile in the same file - this on debian 12. It didn't work - but there was no message about it in the audit log. Changing to Px or making the target profile local within the calling profile both work.