[apparmor] debugging aa_change_profile

Jeroen Ooms jeroen.ooms at stat.ucla.edu
Thu Apr 26 16:52:32 UTC 2012


I wrote a wrapper to aa_change_profile for R. I got it to work to the
point where it returns 0 and when I call it a line appears in
/var/log/kern.log like this:

Apr 26 09:45:35 jeroen-ubuntu kernel: [51380.859505] type=1400
audit(1335458735.939:91): apparmor="ALLOWED"
operation="change_profile" parent=25782 profile="/usr/bin/R" pid=25839
comm="R" target=303B9901

However, the permissions do not actually seem to change. I don't think
it has actually applied a new profile. Also I noted that regardless of
what profile name I pass as the argument, it always succeeds, even
when there is no such profile.

The contents of /etc/apparmor.d/usr.bin.r are pasted below. To test I
am trying to switch to 'testprofile' and read /etc/passwd.


#include <tunables/global>

/usr/bin/R flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability kill,
  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_tty_config,

  / rw,
  /** mrwlkix,

  profile testprofile {

    #include <abstractions/base>
    #include <abstractions/nameservice>

    deny /boot/** rwx,
    deny /etc/passwd rwx,

    capability kill,
    capability net_bind_service,
    capability setgid,
    capability setuid,
    capability sys_tty_config,

    / rw,
    /** mrwlkix,
  }
}



More information about the AppArmor mailing list