[apparmor] AppArmor profile: requested_mask and denied_mask = "c", "x".
Christian Boltz
apparmor at cboltz.de
Fri Dec 18 20:57:34 UTC 2015
Hello,
Am Freitag, 18. Dezember 2015 schrieb daniel curtis:
> I would like to ask about AppArmor profile and a system log files
> such as, for example, /var/log/syslog etc. Let say, that I wrote a
> profile for an application, which 'audit' entries in log files
> contains something like this (of course, I omitted the whole
> 'audit'):
>
> * requested_mask="c" denied_mask="c"
>
> I have to say, that it is "DENIED" action for 'mkdir' operation in
> /home/user/.app/ directory. But that is not the point. So, what "c"
> exactly means? If I would like to add a rule to the AppArmor
> profile what should I use? I mean: 'r', 'w', 'x', or maybe 'l', 'k',
> 'm'? Or maybe something completely different, like:
c means "create file/directory". For a directory, you'll need a rule like
/the/directory/ w,
For files, a (append) permissions might be enough, but depending on how
the application opens the file, you might need the more permissive w.
> * /usr/bin/xyz Cx -> sanitized_helper,
>
> Generally: what does "c" and "x" exactly means? (In AppArmor
> audit messages). In conclusion: what rules should I use in an
> application profile, if in log files there is, for example, 'audit'
> messages like this one:
>
> 1/ operation="mkdir", requested_mask="c", denied_mask="c"
See above.
> 2/ operation="exec", requested_mask=x", denied_mask="x"
That means executing another binary.
Depending on what gets executed, you can choose ix (inherit = use the
same profile), Cx (use a child profile), Px (use a standalone profile) or
Ux (unconfined = execute without AppArmor restrictions).
Hint: Avoid Px for things like /bin/bash ;-)
> So, how a correct entries, in the profile, should look like?
If in doubt, use aa-logprof - it will give you a matching proposal.
Also have a look at man apparmor.d which explains all rule types and
permissions.
Finally, I can recommend my "AppArmor Crash Course". You can find
(slightly outdated) slides at blog.cboltz.de (search for AppArmor). If
slides aren't enough, check the DebConf15 video archives - I gave that
talk there.
Regards,
Christian Boltz
--
[CVS] Es gibt auch ein grafisches Frontend (nein, nicht das kranke
Cervisia, beim Programieren war da wohl zuviel Cervessa im Spiel)
[Gerald Goebel in fontlinge-devel]
More information about the AppArmor
mailing list