[apparmor] debugging aa_change_profile
Jeroen Ooms
jeroen.ooms at stat.ucla.edu
Thu Apr 26 16:52:32 UTC 2012
I wrote a wrapper to aa_change_profile for R. I got it to work to the
point where it returns 0 and when I call it a line appears in
/var/log/kern.log like this:
Apr 26 09:45:35 jeroen-ubuntu kernel: [51380.859505] type=1400
audit(1335458735.939:91): apparmor="ALLOWED"
operation="change_profile" parent=25782 profile="/usr/bin/R" pid=25839
comm="R" target=303B9901
However, the permissions do not actually seem to change. I don't think
it has actually applied a new profile. Also I noted that regardless of
what profile name I pass as the argument, it always succeeds, even
when there is no such profile.
The contents of /etc/apparmor.d/usr.bin.r are pasted below. To test I
am trying to switch to 'testprofile' and read /etc/passwd.
#include <tunables/global>
/usr/bin/R flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability kill,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_tty_config,
/ rw,
/** mrwlkix,
profile testprofile {
#include <abstractions/base>
#include <abstractions/nameservice>
deny /boot/** rwx,
deny /etc/passwd rwx,
capability kill,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_tty_config,
/ rw,
/** mrwlkix,
}
}
More information about the AppArmor
mailing list