[apparmor] debugging aa_change_profile

John Johansen john.johansen at canonical.com
Thu Apr 26 17:32:12 UTC 2012 

On 04/26/2012 09:52 AM, Jeroen Ooms wrote:
> I wrote a wrapper to aa_change_profile for R. I got it to work to the
> point where it returns 0 and when I call it a line appears in
> /var/log/kern.log like this:
> 
> Apr 26 09:45:35 jeroen-ubuntu kernel: [51380.859505] type=1400
> audit(1335458735.939:91): apparmor="ALLOWED"
> operation="change_profile" parent=25782 profile="/usr/bin/R" pid=25839
> comm="R" target=303B9901
> 
oh that looks like a bug :(

I used aa-decode on target=303B9901
and got back
Decoded: 0;�

> However, the permissions do not actually seem to change. I don't think
> it has actually applied a new profile. Also I noted that regardless of
> what profile name I pass as the argument, it always succeeds, even
> when there is no such profile.
> 
as seth said complain mode always succeeds, and audit/complain about things
that would not normally be allowed

I can test what profile a task is currently confined by, by looking in
/proc/<pid>/attr/current

where <pid> is the pid of the task you want to introspect

If you are using apparmor 2.7/2.8 you can use the libapparmor routines
 aa_getcon or aa_gettaskcon to do the introspection

however if your profile is in enforcing it will need to list permission
to the interface

apparmor 2.8 also has the aa-exec utility that allows to use/play with
change_profile and change_onexec from the command line

> The contents of /etc/apparmor.d/usr.bin.r are pasted below. To test I
> am trying to switch to 'testprofile' and read /etc/passwd.
> 
> 
> #include <tunables/global>
> 
> /usr/bin/R flags=(complain) {
>   #include <abstractions/base>
>   #include <abstractions/nameservice>
> 
>   capability kill,
>   capability net_bind_service,
>   capability setgid,
>   capability setuid,
>   capability sys_tty_config,
> 
>   / rw,
>   /** mrwlkix,
> 
>   profile testprofile {
> 
>     #include <abstractions/base>
>     #include <abstractions/nameservice>
> 
>     deny /boot/** rwx,
>     deny /etc/passwd rwx,
> 
>     capability kill,
>     capability net_bind_service,
>     capability setgid,
>     capability setuid,
>     capability sys_tty_config,
> 
>     / rw,
>     /** mrwlkix,
>   }
> }
>

More information about the AppArmor mailing list