[apparmor] understanding apparmor_parser debug output
Vincas Dargis
vindrg at gmail.com
Fri Mar 31 21:48:45 UTC 2017
Hi,
I'm on Kubuntu 16.04 with Apparmor 2.10.95-0ubuntu2.6 and Linux 4.8.0-34-generic (HWE)
usr.bin.skype profile has such lines:
deny @{HOME}/.fontconfig/ w,
deny @{HOME}/.fontconfig/*.cache-*.TMP* w,
When I run:
apparmor_parser -Q -d /etc/apparmor.d/usr.bin.skype
These lines are printed:
Mode: wa:wa Name: ({/home//*,/root}/.fontconfig/)
Mode: wa:wa Name: ({/home//*,/root}/.fontconfig/*.cache-*.TMP*)
I do not quite follow here. What these wa:wa means exactly? Looking at Wiki [0], it kinda seems like if I am owner or
not, I am allowed to write..? Though of course I expect not to be able to write due to "deny".
How to interpret these debug outputs, how do I audit apparmor profiles?
Thanks.
[0] http://wiki.apparmor.net/index.php/AppArmorMonitoring - "This listing shows the permissions granted when the user
owns the resource (file, directory, pipe, etc.) and when the user does not own the resource."
More information about the AppArmor
mailing list