[apparmor] When DAC fails/invokes Apparmor Hooks with example
John Johansen
john.johansen at canonical.com
Mon Jun 14 23:31:45 UTC 2021
On 6/14/21 4:02 PM, Murali Selvaraj wrote:
> Hi Casey,
>
> I am trying to understand that once a DAC check passes, it will invoke
> Apparmor logs.
this isn't true for every hook, especially with the security_path_ hooks
In general I prefer to say that both DAC and MAC will get called, as
the ordering isn't always DAC then MAC
> I loaded this script with an empty profile in compliant mode to
> capture Apparmor logs.
>
Is the profile attached to the task? Can you provide the output of
ps -Z for the script or put into the script
cat /proc/self/attr/current
also
how did you put the profile into complain mode and how did you load
it into the kernel?
> As mentioned, I could not see Apparmor logs. Do I need to change
> anything in the script to invoke Apparmor/LSM hooks to collect
> Apparmor logs.
>
quite possibly. My guess is the profile is not attaching to the script
and we need to determine why.
You could also potentially try launching the script with
aa-exec -dp your_profile -- your_script
More information about the AppArmor
mailing list