[apparmor] loading a user version of a profile in place of the system profile
John Johansen
john.johansen at canonical.com
Sat Jan 8 23:03:55 UTC 2022
Support for user policy has not landed in apparmor yet; it is still under
development.
At this moment you are unfortunately stuck with using the current pam_apparmor
which can be used to confine a given user with custom system profiles, but is
more difficult to use that it should be.
https://gitlab.com/apparmor/apparmor/-/wikis/pam_apparmor
As for user defined policy in ~/
The loading of user policy from the apparmor dir in ~/ will require a few things
to be setup in addition to the user providing profiles in the ~/ apparmor dir
(notice I didn't specify the name as its actual name is not finalized and
could be .config/apparmor.d/ or something similar).
In addition to the policy bits, a new version of pam_apparmor will be required
that will do the actual setup of the user policy namepace and loading of the
users policy. The pam_apparmor config will also have to be setup to enable
particular users to load policy.
A new kernel be required and will have to be configured and systctls set to
allow users loading of policy (this is a safe guard to disable it in one place
if a vulnerability is discovered).
Before user defined policy lands, system policy that can be attached based on
the userid/name will land, making it easier for system policy to be unique
to given users. This might be sufficient for your needs.
On 1/8/22 9:51 AM, John Beattie wrote:
> Hi,
>
> Thanks for apparmor, it is very useful.
>
> I get two behaviours which encourage me to try to make a specialised profile for
> open office, first that I get ALLOWED warnings in logwatch and second, open
> office doesn't start properly. I think that the splash window doesn't finish
> properly. This isn't a blocker. If I switch to the document window, everything
> is fine.
>
> I have a slightly customised version of usr.lib.libreoffice.program.oosplash and
> usr.lib.libreoffice.program.soffice.bin which I have placed at ~/.apparmor.d/.
> They do work, if I load them with apparmor_parser. They work in the sense that
> neither of the above behaviours is seen.
>
> After a reboot, I saw that apparmor wasn't using my profiles, so I thought of
> clearing the apparmor cache, so I ran these commands
>
> # aa-teardown
> # service apparmor stop
> # rm /var/cache/apparmor.d/nnnnn/* # nnnn names the actual cache, I guess
> # service apparmor start
>
>
> However, my user profile was still not used for open office, I get the ALLOWED
> warnings in kern.log.
>
> My usecase is that I would like a specialised version of a system profile to be
> used for open office when open office is used by me.
>
> I've looked in the wiki but so far all I have found is the policy layout page
>
> https://gitlab.com/apparmor/apparmor/-/wikis/Policy_Layout
>
> and it tells me that ${APPARMOR.D} is used to refer both to the directory in ~
> and the one in /etc but without distinguishing them.
>
> Please would someone point me at the documentation which describes the loading
> sequence relevant to my usecase?
>
>
> Many thanks,
> John Beattie
>
More information about the AppArmor
mailing list