[apparmor] Help with AppArmor Full System Policy

Abhishek Vijeev abhishekvijeev at iisc.ac.in
Fri Aug 23 11:48:30 UTC 2019 

Thanks a lot for clarifying this, Seth.

________________________________
From: Seth Arnold <seth.arnold at canonical.com>
Sent: 23 August 2019 05:48:52
To: Abhishek Vijeev <abhishekvijeev at iisc.ac.in>
Cc: apparmor at lists.ubuntu.com <apparmor at lists.ubuntu.com>; Rakesh Rajan Beck <rakeshbeck at iisc.ac.in>
Subject: Re: [apparmor] Help with AppArmor Full System Policy

On Wed, Aug 21, 2019 at 06:10:30AM +0000, Abhishek Vijeev wrote:
> profile init-systemd /lib/systemd/** flags=(complain) {
>   /usr/bin/colord/**  cx ->  colord_profile,
>   profile colord_profile flags=(complain) {
>   }
> }

> However the dmesg audit logs show the profile name for colord-sane as:
> 'init-systemd//colord_profile//null-/usr/lib/colord/colord-sane' (sample
> logs are attached for reference). We don't understand where the suffix
> 'null-/usr/lib/colord/colord-sane' originates from, since we have
> specified an explicit 'cx' transition for all files within
> /usr/bin/colord/. Due to this problem, we are unable to confine colord
> and a bunch of other processes.

Your logs start after the profile transitions involved; the profile name
here shows the chain of execs that were taken to reach this point:

init-systemd//colord_profile//null-/usr/lib/colord/colord-sane

your init-system profile executed something in /usr/bin/colord/** and then
transitioned into the colord_profile child profile

that process then executed /usr/lib/colord/colord-sane

Because the init-systemd//colord_profile profile is in complain mode,
AppArmor ALLOWED the execution and created a new //null- profile.

If you take the profile out of complain mode, you'll get a DENIED when
the process tries to execute a program that isn't in the profile. You
can decide what profile the process should use after the exec by adding
appropriate Px, Cx, ix, etc rules to the init-systemd//colord_profile
profile.

I hope this helps.

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20190823/5f5cfd5b/attachment.html>

More information about the AppArmor mailing list