[apparmor] systemd AppArmorProfile
John Johansen
john.johansen at canonical.com
Wed Jan 31 06:16:44 UTC 2024
On 1/30/24 19:54, Murali Selvaraj wrote:
> Hi All,
>
> Systemd provides this variable *AppArmorProfile=* for the unit files
>
> I have enabled Apparmor support in systemd and confirmed it is enabled as per below output.
>
> # systemctl --version
> systemd 250 (250.5+)
> -PAM -AUDIT -SELINUX *+APPARMOR* +IMA -SMACK -SECCOMP -GCRYPT -GNUTLS -OPENSSL -ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD -LIBCRYPTSETUP +LIBFDISK -PCRE2 -PWQUALITY -P11KIT -QRENCODE -BZIP2 -LZ4 -XZ -ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=hybrid
>
> *test.service*
> [Service]
> Type=forking
> WorkingDirectory=/usr/local/
> *AppArmorProfile=-foo*
> ExecStart=/usr/bin/test
> Restart=on-failure
>
> During boot-up, profile "foo" is NOT loaded while executing test.service. However, I am observing below logs
>
> grep -rni DENIED /var/logs/messages.txt
> 431:1970 Jan 01 00:00:33 localhost: audit: type=1400 audit(33.089:2): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="unconfined" name="foo" pid=2970 comm="(sh)"
>
> As per my understanding, if prefixed by "-", all errors will be ignored. But I am still observing the above logs.
> Do we need to update this line *AppArmorProfile=-foo* in the unit file?
>
> I would like to understand the difference between *AppArmorProfile=foo , * *AppArmorProfile=-foo ? *It looks to me,**both behave the same.
>
quoting systemd documentation
The argument passed should be an absolute filename or wildcard expression, optionally prefixed with "-", which indicates that if the file does not exist, it will not be read and no error or warning message is logged.
In the case of AppArmorProfile systemd will ignore an error if it happens, and systemd won't log the error.
The above error is being logged by the apparmor in the kernel, by systemd trying to use change_onexec for a profile that doesn't exist. This error will be returned to systemd, and then systemd subsequently ignores it and doesn't fail the unit or do any logging of its own.
To stop logging of the above message you would need to confine systemd with a profile, and the profile would need to be directed to not log denials for change profile.
> Please share your views.
>
> Thanks
> Murali.S
>
> On Tue, Jan 30, 2024 at 10:05 PM Murali Selvaraj <murali.selvaraj2003 at gmail.com <mailto:murali.selvaraj2003 at gmail.com>> wrote:
>
> Hi All,
>
> Systemd provides this variable *AppArmorProfile=* for the unit files
>
> I have enabled Apparmor support in systemd and confirmed it is enabled as per below output.
>
> # systemctl --version
> systemd 250 (250.5+)
> -PAM -AUDIT -SELINUX *+APPARMOR* +IMA -SMACK -SECCOMP -GCRYPT -GNUTLS -OPENSSL -ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD -LIBCRYPTSETUP +LIBFDISK -PCRE2 -PWQUALITY -P11KIT -QRENCODE -BZIP2 -LZ4 -XZ -ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=hybrid
>
> *test.service*
> [Service]
> Type=forking
> WorkingDirectory=/usr/local/
> *AppArmorProfile-=foo*
> ExecStart=/usr/bin/test
> Restart=on-failure
>
> During boot-up, profile "foo" is NOT loaded while executing test.service. However, I am observing below logs
>
> grep -rni DENIED /var/logs/messages.txt
> 431:1970 Jan 01 00:00:33 localhost: audit: type=1400 audit(33.089:2): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="unconfined" name="foo" pid=2970 comm="(sh)"
>
> As per my understanding, if prefixed by "-", all errors will be ignored. But I am still observing the above logs.
> Do we need to update this line *AppArmorProfile-=foo* in the unit file?
>
> I would like to understand the difference between *AppArmorProfile=foo , * *AppArmorProfile-=foo ?*
>
> Please share your views.
>
> Thanks
> Murali.S
>
More information about the AppArmor
mailing list