[apparmor] Minimal apparmor profile
Seth Arnold
seth.arnold at gmail.com
Fri Dec 9 18:21:46 UTC 2011
We (used to?) ship a tool 'autodep' (perhaps renamed aa-autodep?) that would parse the output of ldd on a binary and spit out a profile for the application, ensuring the libraries were covered.
You can replace a single profile with apparmor_parser --reload /etc/apparmor.d/path.to.profile. I like using vim's % to represent a file name and run this while editing a profile. Be sure to :w the file first:
:!apparmor_parser --reload %
-----Original Message-----
From: Alex Coventry <throwaway at MIT.EDU>
Sender: apparmor-bounces at lists.ubuntu.com
Date: Fri, 09 Dec 2011 13:11:41
To: <apparmor at lists.ubuntu.com>
Subject: [apparmor] Minimal apparmor profile
Hi, does anyone have the minimal profile necessary to allow a
gcc-compiled hello-world program to run on ubuntu?
Alternatively, is there a quick way to reload a single profile, without
restarting apparmor? It would be pretty easy to figure the minimal
ruleset out by sucessively trimming entries from abstractions/base,
given that.
Also, is there an apparmor rule allowing the prctl syscall?
Best regards,
Alex
--
AppArmor mailing list
AppArmor at lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
More information about the AppArmor
mailing list