[apparmor] understanding apparmor_parser debug output

Vincas Dargis vindrg at gmail.com
Fri Mar 31 21:48:45 UTC 2017


I'm on Kubuntu 16.04 with Apparmor 2.10.95-0ubuntu2.6 and Linux 4.8.0-34-generic (HWE)

usr.bin.skype profile has such lines:

   deny @{HOME}/.fontconfig/ w,
   deny @{HOME}/.fontconfig/*.cache-*.TMP* w,

When I run:

apparmor_parser -Q -d  /etc/apparmor.d/usr.bin.skype

These lines are printed:

Mode:	wa:wa	Name:	({/home//*,/root}/.fontconfig/)
Mode:	wa:wa	Name:	({/home//*,/root}/.fontconfig/*.cache-*.TMP*)

I do not quite follow here. What these wa:wa means exactly? Looking at Wiki [0], it kinda seems like if I am owner or 
not, I am allowed to write..? Though of course I expect not to be able to write due to "deny".

How to interpret these debug outputs, how do I audit apparmor profiles?


[0] http://wiki.apparmor.net/index.php/AppArmorMonitoring - "This listing shows the permissions granted when the user 
owns the resource (file, directory, pipe, etc.) and when the user does not own the resource."

More information about the AppArmor mailing list