[apparmor] When DAC fails/invokes Apparmor Hooks with example

[Murali Selvaraj]

Hi Casey,

I was expecting Appamor logs for the above script when it runs in
Apparmo complain mode.
Do I need to update/modify to reach Apparmor LSM hooks?

Please share your inputs.

Thanks
Murali.S

On Tue, Jun 15, 2021 at 4:32 AM Murali Selvaraj
<murali.selvaraj2003 at gmail.com> wrote:
>
> Hi Casey,
>
> I am trying to understand that once a DAC check passes, it will invoke
> Apparmor logs.
> I loaded this script with an empty profile in compliant mode to
> capture Apparmor logs.
>
> As mentioned, I could not see Apparmor logs. Do I need to change
> anything in the script to invoke Apparmor/LSM hooks to collect
> Apparmor logs.
>
> Thanks
> Murali.S
>
> On Tue, Jun 15, 2021 at 4:24 AM Casey Schaufler <casey at schaufler-ca.com> wrote:
> >
> > On 6/14/2021 3:45 PM, Murali Selvaraj wrote:
> > > Hi All,
> > >
> > > In general, Apparmor hooks will be called after DAC check/validation.
> > > I would like to understand the theory by writing into a sample script
> > > as follows.
> > >
> > > Created an empty profile for this demo.sh in complain mode to understand what
> > > the operation has been done as part of the script.
> > >
> > > However, I could not see any apparmor logs (complaint mode logs
> > > ALLOWED) for this script profile.
> > > Can you please suggest what changes need to be done in the script in
> > > order to reach Apparmor hooks
> > > to get the Apparmor logs.
> > >
> > > Also, pls advise me on how to find when DAC would be failed/DAC given
> > > details to Apparmor hooks.
> > > Pls share any easy reference code or sample code for understanding.
> > >
> > > #!/bin/bash
> > > while [ 1 ] ; do
> > > echo -n "How Apparmor called after DAC"
> > > cat /proc/self/attr/current
> > > kill -11 1
> > > iptables --list
> > > ping 8.8.8.8
> > > sleep 60
> > > done
> >
> > What do you expect this script to do?
> >
> > >
> > > Thanks
> > > Murali.S
> > >