Confused about some strange behaviour

[curiosityseeker]

Whenever new commits are made in this project I update it on my Arch system by executing makepkg -si in the apparmor.d-git directory. Today this created an update from apparmor.d-git-0.1270-1-x86_64.pkg.tar.zst to apparmor.d-git-0.1283-1-x86_64.pkg.tar.zst.

And I ran into problems: After updating apparmor.d I got a updates for Arch, among them a new grub version. I rebooted my system and voilà - I landed in systemd's emergency mode. So I executed aa-log and found 2 entries regarding mount:

ALLOWED mount file_inherit /boot/grub/grub.cfg.new comm=mount requested_mask=w denied_mask=w class=file
ALLOWED mount getattr info="Failed name lookup - disconnected path" comm=mount requested_mask=r denied_mask=r error=-13 class=file

So I added the attach_disconnected flag to the mountprofile, rebooted and all was well. However, to my surprise I noticed that that flag is already present on https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/profiles-m-r/mount (this was actually a commit by myself). But why wasn't it in the profile on my system?

Another example: The Brave profile on https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/browsers/brave has the following line 17:

profile brave @{exec_path} {

The profile on my system has - even after today's update - the line:

profile brave /opt/brave{-bin,.com}/brave{,-beta,-dev,-bin}/brave{,-beta,-dev,-bin} flags=(complain) {

Other examples: in the apparmor.d/groups/apps directory are profiles for, e.g., Okular and Thunderbird. I had profiles for those applications before starting to use apparmor.d - but why are those profiles never overwritten when updating apparmor.d? Those apps are not included in the *.ignore files .

I'm sorry but I don't have an explanation for this behaviour. It seems that a number of profiles are not properly overwritten when updating apparmor.d. Am I doing something wrong?

[roddhjav]

To sum it up all of this is prebuild magic happening at package build time:

• The flags for some profile are overwritten by definition in dists/flags. This is why the flag for mount was ignored. I fixed this in d4d1b94
• There is a special prebuild (see in cmd/prebuild/main.go) that resolves the @{exec_path} variable. That is a requirement to keep compatibility with some aa tool like aa-enforce, aa-logprog...
• The default build switch all profiles in complain mode, this is why brave is prebuilt in complain mode
• In main.ignore the full apps group is ignored. I plan not ignore it, however, I found some issues with some of the profile in it, so I keep it this way for now.

[curiosityseeker]

* The flags for some profile are overwritten by definition in `dists/flags`. This is why the flag for `mount` was ignored. I fixed this in [d4d1b94](https://github.com/roddhjav/apparmor.d/commit/d4d1b949cd4cd5242e43882087414dfa57824040)

I see. Thanks!

* There is a special _prebuild_ (see in `cmd/prebuild/main.go`)  that resolves the `@{exec_path}` variable. That is a requirement to keep compatibility with some aa tool like aa-enforce, aa-logprog...

Yes, I'm aware of that. I'm just worried that the local profile doesn't match the profile on https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/browsers/brave . I still don't understand why.

* The default build switch all profiles in complain mode, this is why brave is _prebuilt_ in complain mode

Yes, I know. This is actually not what I'm worried about ;)

* In `main.ignore` the full `apps` group is ignored. I plan not ignore it, however, I found some issues with some of the profile in it, so I keep it this way for now.

Okay, I see. Sorry for missing that. I suggest to document this somewhere.

[curiosityseeker]

The problem that the profile on my system doesn't match the one on github also exists for Firefox. On https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/browsers/firefox the profile line is:

profile firefox @{exec_path} flags=(attach_disconnected) {

On my system the profile line is:

profile firefox /{{usr/,}bin/firefox{,.sh,-esr,-bin},{usr/,}lib{,32,64}/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin},opt/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin}} flags=(attach_disconnected) {

I still don't get it. It's confusing.

[roddhjav]

I do not see any problem here. As mentionned, @{exec_path} is resolved into /{{usr/,}bin/firefox{,.sh,-esr,-bin},{usr/,}lib{,32,64}/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin},opt/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin}}. The rest is the same.

[curiosityseeker]

I see. Btw, the attach_disconnected flag for kde-powerdevil is missing in https://github.com/roddhjav/apparmor.d/blob/main/dists/flags/main.flags