[Apparmor-dev] readlink on non profile symlink succeeding?

[Rob Meijer]

In the process of creating some usefull exsample profiles for MinorFs, I
ran into a problem when testing these profiles on the AppArmor instalation
that comes with Suse 11.0. I would like to know if this is an old bug, an
existing bug, or just my limited understanding of how the profiles work.

If MinorFs is running, the directory /mnt/minorfs/priv (that is a Fuse
mountpoint) contains two symbolic links. The first called 'tmp' and the
second called 'home'. I created a hardlink /bin/minorbash_base that links
to /bin/bash and should run under a profile that gives access to all of
the /mnt/minorfs tree with the exception of /mnt/minorfs/priv. all seems
to be as expected, only when I do 'ls -la /mnt/minorfs/priv/home' from
minorbash_base, I can read the symbolic link that points to a
/mnt/minorfs/cap/$SOMECAPSTRING directory.

Is there something I am doing wrong here in my profiles, if not, is this
an old bug that is fixed in the development tree, or is it a bug not seen
and/or fixed yet?

T.I.A.

Rob J Meijer

-------------- /etc/apparmor.d/bin.minorbash_base ----------------
#include <tunables/global>

/bin/minorbash_base {
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <minorfs/systemreadonly>
  #include <minorfs/base>
}

----------- /etc/apparmor.d/minorfs/systemreadonly ----------------
  / r,
  /bin/ r,
  /bin/** mixr,
  /usr/ r,
  /usr/bin r,
  /usr/bin/* mixr,
  /usr/local/ r,
  /usr/local/* r,
  /usr/local/bin/* mixr,
  /usr/local/*/bin/* mixr,
  /usr/** r,
  /etc/ r,
  /etc/** r,
  /lib/ r,
  /lib/** r,
  /lib64/ r,
  /lib64/** r,
  @{HOMEDIRS} r,
  @{HOME} r,
  @{HOME}/** r,

------------- /etc/apparmor.d/minorfs/base -----------------
  /mnt/ r,
  /mnt/minorfs/ r,
  /mnt/minorfs/cap/ r,
  /mnt/minorfs/cap/** rw,
  /mnt/minorfs/ctkr/ r,
  /mnt/minorfs/ctkr/** rw,