[apparmor] AppArmor profile: requested_mask and denied_mask = "c", "x".

Christian Boltz apparmor at cboltz.de
Fri Dec 18 20:57:34 UTC 2015 

Hello,

Am Freitag, 18. Dezember 2015 schrieb daniel curtis:
> I would like to ask about AppArmor profile and a system log files
> such as, for example, /var/log/syslog etc. Let say, that I wrote a
> profile for an application, which 'audit' entries in log files
> contains something like this (of course, I omitted the whole
> 'audit'):
> 
> * requested_mask="c" denied_mask="c"
> 
> I have to say, that it is "DENIED" action for 'mkdir' operation in
> /home/user/.app/ directory. But that is not the point. So, what "c"
> exactly means? If I would like to add a rule to the AppArmor
> profile what should I use? I mean: 'r', 'w', 'x', or maybe 'l', 'k',
> 'm'? Or maybe something completely different, like:

c means "create file/directory". For a directory, you'll need a rule like
    /the/directory/ w,

For files, a (append) permissions might be enough, but depending on how 
the application opens the file, you might need the more permissive w.

> * /usr/bin/xyz Cx -> sanitized_helper,
> 
> Generally: what does "c" and "x" exactly means? (In AppArmor
> audit messages). In conclusion: what rules should I use in an
> application profile, if in log files there is, for example, 'audit'
> messages like this one:
> 
> 1/ operation="mkdir", requested_mask="c", denied_mask="c"

See above.

> 2/ operation="exec", requested_mask=x", denied_mask="x"

That means executing another binary.
Depending on what gets executed, you can choose ix (inherit = use the 
same profile), Cx (use a child profile), Px (use a standalone profile) or 
Ux (unconfined = execute without AppArmor restrictions).

Hint: Avoid Px for things like /bin/bash ;-)

> So, how a correct entries, in the profile, should look like?

If in doubt, use aa-logprof - it will give you a matching proposal.
Also have a look at   man apparmor.d   which explains all rule types and 
permissions.

Finally, I can recommend my "AppArmor Crash Course". You can find 
(slightly outdated) slides at blog.cboltz.de (search for AppArmor). If 
slides aren't enough, check the DebConf15 video archives - I gave that 
talk there.


Regards,

Christian Boltz
-- 
[CVS] Es gibt auch ein grafisches Frontend (nein, nicht das kranke
Cervisia,  beim Programieren war da wohl zuviel Cervessa im Spiel)
[Gerald Goebel in fontlinge-devel]

More information about the AppArmor mailing list