[apparmor] tomcat 8
Me Self
wmsopou at gmail.com
Wed Mar 30 12:23:58 UTC 2016
Im trying to profile tomcat 8 but the profile contains less rules than I
would expect.
This is what I do:
sudo aa-genprof /usr/local/apache-tomcat-8.0.32/bin/catalina.sh
Then start tomcat, load a page, stop tomcat.
Then Scan logfile and allow everything aa-genprof found.
It generates a profile /etc/apparmo.d/
usr.local.apache-tomcat-8.0.32.bin.catalina.sh with this content:
# Last Modified: Wed Mar 30 14:12:49 2016
#include <tunables/global>
/usr/local/apache-tomcat-8.0.32/bin/catalina.sh flags=(complain) {
#include <abstractions/base>
/bin/dash ix,
/bin/touch r,
/bin/uname rix,
/usr/bin/dirname rix,
/usr/bin/tty r,
/usr/local/apache-tomcat-8.0.32/bin/catalina.sh r,
/usr/local/apache-tomcat-8.0.32/bin/setclasspath.sh r,
/usr/local/apache-tomcat-8.0.32/bin/setenv.sh r,
/usr/local/apache-tomcat-8.0.32/logs/catalina.out w,
/usr/local/jdk1.8.0_74/jre/lib/amd64/jvm.cfg r,
/usr/local/jdk1.8.0_74/jre/lib/amd64/server/libjvm.so mr,
/usr/local/jdk1.8.0_74/lib/amd64/jli/libjli.so mr,
^DEFAULT flags=(complain) {
}
}
These rules seem to related to the script itself and not the JVM it's
spawning. I also tried running aa-complain but it didnt add anything new to
the profile.
The syslog I see messages such as this (the webapp is ROOT.war). What does
the /null-50 is the profile attr mean?
[174402.483458] type=1400 audit(1459339942.803:1134393): apparmor="ALLOWED"
operation="getattr" profile="/usr/local/apache-tomcat-8.0.32/bin/
catalina.sh//null-50"
name="/usr/local/apache-tomcat-8.0.32/webapps/ROOT.war" pid=14365
comm="java" requested_mask="r" denied_mask="r" fsuid=1001 ouid=1001
Also aa-status shows a lot of these "null" profiles:
46 profiles are in complain mode.
<cut>
/usr/local/apache-tomcat-8.0.32/bin/catalina.sh
/usr/local/apache-tomcat-8.0.32/bin/catalina.sh//DEFAULT
/usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-40
/usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-41
/usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-42
/usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-43
/usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-44
/usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-44//null-45
/usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-44//null-46
/usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-44//null-47
/usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-48
/usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-49
/usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-4a
/usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-4b
/usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-4c
/usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-4d
/usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-4e
/usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-4f
/usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-50
/usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-50//null-51
/usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-50//null-52
/usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-50//null-53
/usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-50//null-54
I set the changehat to switch profile on servletpath in server.xml:
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve
className="com.novell.apparmor.catalina.valves.ChangeHatValve"
mediationType="ServletPath"/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160330/e8d48af4/attachment.html>
More information about the AppArmor
mailing list