[apparmor] Apparmor: Queries

Tue Apr 13 17:48:12 UTC 2021

Thanks John/Seth for the explanation.

We have observed few configuration files are present in /tmp which are
needed for certain processes.
For example, few of the files are hidden files located in /tmp/.

In that case, shall we add below entry

/tmp/** rw,

or Do we need to add entries for file specific as below

/tmp/file.txt r,
/tmp/.init_complete rw,

Which would be the best way for security concern as well as embedded devices ?
Please advise.

Thanks
Murali.S

On Mon, Apr 5, 2021 at 1:09 AM Murali Selvaraj
<murali.selvaraj2003 at gmail.com> wrote:
>
> Hi John/Seth,
>
> Thanks John/Seth for your detailed information.
>
> Can you please clarify the below queries.
>
> Query 1:
>
> -> From the aa-log-prof, we are able to generate an apparmor profile
> for the required process. In order to confirm the profile(by
> theoretically)
>    if we compare cat /proc/<pid>/maps | grep -i lib this output will
> it be sufficient or any possibility of the libraries may
>    not be in this entry cat /proc/<pid>/maps?
>
> -> Like a library, do we have any other way to find the list of
> configuration, temporary files using by process can be identified
>    by simple tools or from any /proc entries like above? This is just
> to confirm about our profile.
>
> Query 2:
>
> -> For example, one of my process is running in "non-root" owner which
> has read/write access to /proc/<test>/<test_2>/
>    While generate profile for this process, Do I need to add this
> entry /proc/<test>/<test_2>/* rw, Or without adding this entry
>    will it able to do read/write operation /proc/<test>/<test_2>/?
>
> Query 3:
>
> Can you please explain the difference for the below entries in the
> apparmor profile?
>
> /tmp/lock_file rw,
> /tmp/lock_file rwc,
>
> /tmp/test.css ww,
> /tmp/test.css w
>
> /tmp/initialized rww,
> /tmp/initialized rw,
>
> /tmp/driver krw,
> /tmp/driver rw,
>
>
> Query 4:
>
> By default, while device boots apparmor profiles are loaded to Kernel
> and the corresponding process read from the profile during the process
> execution,
> -> As per our code, the process kills/crashes by unknown reason; we
> have a mechanism to restart by itself.
>  In that case, during the process restart, will it start as per
> profile or without profile?
>
>
> Query 5:
>
> I would like to understand the reason for below DENIED logs, what does
> it really expect?
> Do I need to add the entry like /tmp/test c or /tmp/test rw or
> /tmp/test rwk? Pls share the difference for each mentioned
> possibility?
>
> 2021 Apr 04 17:35:05 admin kernel: audit: type=1400
> audit(1617557705.711:207): apparmor="DENIED" operation="mknod"
> profile="example" name="/tmp/test" pid=11410 comm="application"
> requested_mask="c" denied_mask="c" fsuid=0 ouid=0
>
> What is really this log expecting?
>
> Thanks
> Murali.S