[apparmor] AppArmor profile: requested_mask and denied_mask = "c", "x".

[daniel curtis]

​Hi Christian,

So, if "c" means create file/directory then if AppArmor audit
entries (for example from log files etc.) contains something like
this:

operation="mkdir", requested_mask="c", denied_mask="c"

Then, rule in an AppArmor application profile should look like:

/home/user/.app/ w,

Am I right? That should be enough? You wrote: for file 'a' (append)
permission might be enough, right? So, instead of 'w' (see above)
I should use 'a'? Of course if 'operation' will be responsible for
file creation.

>> That means executing another binary.
>> Depending on what gets executed, you can choose (...)

You've asked about what gets executed. Let say, that it is, for
example:

operation="exec", requested_mask="x", denied_mask="x"

It concerns /usr/bin/pulseaudio and /usr/lib/firefox/plugin-container.
So, which permission should be okay in this example: 'ix', 'Cx'?
Or maybe another one? Sorry for such naive question, but... I
want to create a secure profile.

Thank You very much for an informations about 'aa-logprof' and
man for 'apparmor.d'. (I checked it already, but I will do it one
more time). Definitely, I will check "AppArmor Crash Course"
and slides at blog.cboltz.de etc.

Best regards.​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151219/7291bdb8/attachment.html>