[apparmor] debugging aa_change_profile

Seth Arnold seth.arnold at gmail.com
Thu Apr 26 17:00:37 UTC 2012 

It always succeeds because your R profile is in complain mode -- under the assumption that you're building profiles using the tools that will then create the profiles as necessary.

Remove the complain flag and re-run the tests and you'll see that only allowed profile changes actually succeed and the log entries will change from ALLOWED to DENIED.

Since this one was allowed rather than not logged at all, it still isn't right; what does that string in the "target=" decode to?


-----Original Message-----
From: Jeroen Ooms <jeroen.ooms at stat.ucla.edu>
Sender: apparmor-bounces at lists.ubuntu.com
Date: Thu, 26 Apr 2012 09:52:32 
To: <apparmor at lists.ubuntu.com>
Subject: [apparmor] debugging aa_change_profile

I wrote a wrapper to aa_change_profile for R. I got it to work to the
point where it returns 0 and when I call it a line appears in
/var/log/kern.log like this:

Apr 26 09:45:35 jeroen-ubuntu kernel: [51380.859505] type=1400
audit(1335458735.939:91): apparmor="ALLOWED"
operation="change_profile" parent=25782 profile="/usr/bin/R" pid=25839
comm="R" target=303B9901

However, the permissions do not actually seem to change. I don't think
it has actually applied a new profile. Also I noted that regardless of
what profile name I pass as the argument, it always succeeds, even
when there is no such profile.

The contents of /etc/apparmor.d/usr.bin.r are pasted below. To test I
am trying to switch to 'testprofile' and read /etc/passwd.


#include <tunables/global>

/usr/bin/R flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability kill,
  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_tty_config,

  / rw,
  /** mrwlkix,

  profile testprofile {

    #include <abstractions/base>
    #include <abstractions/nameservice>

    deny /boot/** rwx,
    deny /etc/passwd rwx,

    capability kill,
    capability net_bind_service,
    capability setgid,
    capability setuid,
    capability sys_tty_config,

    / rw,
    /** mrwlkix,
  }
}

-- 
AppArmor mailing list
AppArmor at lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

More information about the AppArmor mailing list