[apparmor] systemd AppArmorProfile

Murali Selvaraj murali.selvaraj2003 at gmail.com
Wed Jan 31 03:54:07 UTC 2024 

Hi All,

Systemd provides this variable *AppArmorProfile=* for the unit files

I have enabled Apparmor support in systemd and confirmed it is enabled as
per below output.

# systemctl  --version
systemd 250 (250.5+)
-PAM -AUDIT -SELINUX *+APPARMOR* +IMA -SMACK -SECCOMP -GCRYPT -GNUTLS
-OPENSSL -ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD
-LIBCRYPTSETUP +LIBFDISK -PCRE2 -PWQUALITY -P11KIT -QRENCODE -BZIP2 -LZ4
-XZ -ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT
default-hierarchy=hybrid

*test.service*
[Service]
Type=forking
WorkingDirectory=/usr/local/
*AppArmorProfile=-foo*
ExecStart=/usr/bin/test
Restart=on-failure

During boot-up, profile "foo" is NOT loaded while executing
test.service. However, I am observing below logs

grep -rni DENIED /var/logs/messages.txt
431:1970 Jan 01 00:00:33 localhost: audit: type=1400 audit(33.089:2):
apparmor="DENIED" operation="change_onexec" info="label not found" error=-2
profile="unconfined" name="foo" pid=2970 comm="(sh)"

As per my understanding,  if prefixed by "-", all errors will be ignored.
But I am still observing the above logs.
Do we need to update this line *AppArmorProfile=-foo* in the unit file?

I would like to understand the difference between    *AppArmorProfile=foo
, * *AppArmorProfile=-foo ? *It looks to me, both behave the same.

Please share your views.

Thanks
Murali.S

On Tue, Jan 30, 2024 at 10:05 PM Murali Selvaraj <
murali.selvaraj2003 at gmail.com> wrote:

> Hi All,
>
> Systemd provides this variable *AppArmorProfile=* for the unit files
>
> I have enabled Apparmor support in systemd and confirmed it is enabled as
> per below output.
>
> # systemctl  --version
> systemd 250 (250.5+)
> -PAM -AUDIT -SELINUX *+APPARMOR* +IMA -SMACK -SECCOMP -GCRYPT -GNUTLS
> -OPENSSL -ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD
> -LIBCRYPTSETUP +LIBFDISK -PCRE2 -PWQUALITY -P11KIT -QRENCODE -BZIP2 -LZ4
> -XZ -ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT
> default-hierarchy=hybrid
>
> *test.service*
> [Service]
> Type=forking
> WorkingDirectory=/usr/local/
> *AppArmorProfile-=foo*
> ExecStart=/usr/bin/test
> Restart=on-failure
>
> During boot-up, profile "foo" is NOT loaded while executing
> test.service. However, I am observing below logs
>
> grep -rni DENIED /var/logs/messages.txt
> 431:1970 Jan 01 00:00:33 localhost: audit: type=1400 audit(33.089:2):
> apparmor="DENIED" operation="change_onexec" info="label not found" error=-2
> profile="unconfined" name="foo" pid=2970 comm="(sh)"
>
> As per my understanding,  if prefixed by "-", all errors will be ignored.
> But I am still observing the above logs.
> Do we need to update this line *AppArmorProfile-=foo* in the unit file?
>
> I would like to understand the difference between    *AppArmorProfile=foo
> , * *AppArmorProfile-=foo ?*
>
> Please share your views.
>
> Thanks
> Murali.S
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20240130/19241b56/attachment.html>

More information about the AppArmor mailing list