[apparmor] debugging aa_change_profile

Seth Arnold seth.arnold at gmail.com
Thu Apr 26 18:27:57 UTC 2012


Something was nagging me and I just figured out what I overlooked -- your "testprofile" here is actually named "/usr/bin/R//testprofile". Make sure you're using the right name to the aa_change_profile() call.
-----Original Message-----
From: Jeroen Ooms <jeroen.ooms at stat.ucla.edu>
Sender: apparmor-bounces at lists.ubuntu.com
Date: Thu, 26 Apr 2012 09:52:32 
To: <apparmor at lists.ubuntu.com>
Subject: [apparmor] debugging aa_change_profile

I wrote a wrapper to aa_change_profile for R. I got it to work to the
point where it returns 0 and when I call it a line appears in
/var/log/kern.log like this:

Apr 26 09:45:35 jeroen-ubuntu kernel: [51380.859505] type=1400
audit(1335458735.939:91): apparmor="ALLOWED"
operation="change_profile" parent=25782 profile="/usr/bin/R" pid=25839
comm="R" target=303B9901

However, the permissions do not actually seem to change. I don't think
it has actually applied a new profile. Also I noted that regardless of
what profile name I pass as the argument, it always succeeds, even
when there is no such profile.

The contents of /etc/apparmor.d/usr.bin.r are pasted below. To test I
am trying to switch to 'testprofile' and read /etc/passwd.


#include <tunables/global>

/usr/bin/R flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability kill,
  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_tty_config,

  / rw,
  /** mrwlkix,

  profile testprofile {

    #include <abstractions/base>
    #include <abstractions/nameservice>

    deny /boot/** rwx,
    deny /etc/passwd rwx,

    capability kill,
    capability net_bind_service,
    capability setgid,
    capability setuid,
    capability sys_tty_config,

    / rw,
    /** mrwlkix,
  }
}

-- 
AppArmor mailing list
AppArmor at lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor


More information about the AppArmor mailing list