[apparmor] debugging aa_change_profile

Jeroen Ooms jeroen.ooms at stat.ucla.edu
Thu Apr 26 19:25:16 UTC 2012 

If it is helpful, here is some instructions to reproduce the problem.
I am using Ubuntu 11.10.

# one time install:
sudo apt-get install r-base libapparmor-dev
wget http://www.stat.ucla.edu/~jeroen/files/rApparmor_0.1.tar.gz
sudo R CMD INSTALL rApparmor_0.1.tar.gz

# start R:
R

# enter these commands in the R console:
library(rApparmor)
aa_change_profile("testprofile")






On Thu, Apr 26, 2012 at 10:32 AM, John Johansen
<john.johansen at canonical.com> wrote:
> On 04/26/2012 09:52 AM, Jeroen Ooms wrote:
>> I wrote a wrapper to aa_change_profile for R. I got it to work to the
>> point where it returns 0 and when I call it a line appears in
>> /var/log/kern.log like this:
>>
>> Apr 26 09:45:35 jeroen-ubuntu kernel: [51380.859505] type=1400
>> audit(1335458735.939:91): apparmor="ALLOWED"
>> operation="change_profile" parent=25782 profile="/usr/bin/R" pid=25839
>> comm="R" target=303B9901
>>
> oh that looks like a bug :(
>
> I used aa-decode on target=303B9901
> and got back
> Decoded: 0;�
>
>> However, the permissions do not actually seem to change. I don't think
>> it has actually applied a new profile. Also I noted that regardless of
>> what profile name I pass as the argument, it always succeeds, even
>> when there is no such profile.
>>
> as seth said complain mode always succeeds, and audit/complain about things
> that would not normally be allowed
>
> I can test what profile a task is currently confined by, by looking in
> /proc/<pid>/attr/current
>
> where <pid> is the pid of the task you want to introspect
>
> If you are using apparmor 2.7/2.8 you can use the libapparmor routines
>  aa_getcon or aa_gettaskcon to do the introspection
>
> however if your profile is in enforcing it will need to list permission
> to the interface
>
> apparmor 2.8 also has the aa-exec utility that allows to use/play with
> change_profile and change_onexec from the command line
>
>> The contents of /etc/apparmor.d/usr.bin.r are pasted below. To test I
>> am trying to switch to 'testprofile' and read /etc/passwd.
>>
>>
>> #include <tunables/global>
>>
>> /usr/bin/R flags=(complain) {
>>   #include <abstractions/base>
>>   #include <abstractions/nameservice>
>>
>>   capability kill,
>>   capability net_bind_service,
>>   capability setgid,
>>   capability setuid,
>>   capability sys_tty_config,
>>
>>   / rw,
>>   /** mrwlkix,
>>
>>   profile testprofile {
>>
>>     #include <abstractions/base>
>>     #include <abstractions/nameservice>
>>
>>     deny /boot/** rwx,
>>     deny /etc/passwd rwx,
>>
>>     capability kill,
>>     capability net_bind_service,
>>     capability setgid,
>>     capability setuid,
>>     capability sys_tty_config,
>>
>>     / rw,
>>     /** mrwlkix,
>>   }
>> }
>>
>

More information about the AppArmor mailing list