While I get the results you describe with the testcase you've provided, I don't think the description is completely accurate.
I performed my testing on:
Linux hunt 3.11.0-12-generic #19-Ubuntu SMP Wed Oct 9 16:20:46 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
I went far simpler:
cp /bin/bash /tmp/
Use this profile:
/tmp/bash { /tmp/bash rmix, /lib/** rm, /dev/tty rw, }
apparmor_parser tmp.bash
Start the /tmp/bash shell, try to run 'ls':
bash: /bin/ls: Permission denied
Add /bin/ls rmix, to the profile apparmor_parser --replace tmp.bash
Try ls again and you get a new error:
ls: cannot open directory .: Permission denied
Add /tmp/ r, to the profile, reload and re-ls, and it works.
While I get the results you describe with the testcase you've provided, I don't think the description is completely accurate.
I performed my testing on:
Linux hunt 3.11.0-12-generic #19-Ubuntu SMP Wed Oct 9 16:20:46 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
I went far simpler:
cp /bin/bash /tmp/
Use this profile:
/tmp/bash {
/tmp/bash rmix,
/lib/** rm,
/dev/tty rw,
}
apparmor_parser tmp.bash
Start the /tmp/bash shell, try to run 'ls':
bash: /bin/ls: Permission denied
Add /bin/ls rmix, to the profile
apparmor_parser --replace tmp.bash
Try ls again and you get a new error:
ls: cannot open directory .: Permission denied
Add /tmp/ r, to the profile, reload and re-ls, and it works.