<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> <style type="text/css" style="display:none;"></style> </head> <body dir="ltr"> <div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr"> <p style="margin-top:0;margin-bottom:0">Thanks a lot for clarifying this, Seth.</p> </div> <hr style="display:inline-block;width:98%" tabindex="-1"> <div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Seth Arnold <seth.arnold@canonical.com><br> <b>Sent:</b> 23 August 2019 05:48:52<br> <b>To:</b> Abhishek Vijeev <abhishekvijeev@iisc.ac.in><br> <b>Cc:</b> apparmor@lists.ubuntu.com <apparmor@lists.ubuntu.com>; Rakesh Rajan Beck <rakeshbeck@iisc.ac.in><br> <b>Subject:</b> Re: [apparmor] Help with AppArmor Full System Policy</font> <div> </div> </div> <div class="BodyFragment"><font size="2"><span style="font-size:11pt;"> <div class="PlainText">On Wed, Aug 21, 2019 at 06:10:30AM +0000, Abhishek Vijeev wrote:<br> > profile init-systemd /lib/systemd/** flags=(complain) {<br> > /usr/bin/colord/** cx -> colord_profile,<br> > profile colord_profile flags=(complain) {<br> > }<br> > }<br> <br> > However the dmesg audit logs show the profile name for colord-sane as:<br> > 'init-systemd//colord_profile//null-/usr/lib/colord/colord-sane' (sample<br> > logs are attached for reference). We don't understand where the suffix<br> > 'null-/usr/lib/colord/colord-sane' originates from, since we have<br> > specified an explicit 'cx' transition for all files within<br> > /usr/bin/colord/. Due to this problem, we are unable to confine colord<br> > and a bunch of other processes.<br> <br> Your logs start after the profile transitions involved; the profile name<br> here shows the chain of execs that were taken to reach this point:<br> <br> init-systemd//colord_profile//null-/usr/lib/colord/colord-sane<br> <br> your init-system profile executed something in /usr/bin/colord/** and then<br> transitioned into the colord_profile child profile<br> <br> that process then executed /usr/lib/colord/colord-sane<br> <br> Because the init-systemd//colord_profile profile is in complain mode,<br> AppArmor ALLOWED the execution and created a new //null- profile.<br> <br> If you take the profile out of complain mode, you'll get a DENIED when<br> the process tries to execute a program that isn't in the profile. You<br> can decide what profile the process should use after the exec by adding<br> appropriate Px, Cx, ix, etc rules to the init-systemd//colord_profile<br> profile.<br> <br> I hope this helps.<br> <br> Thanks<br> </div> </span></font></div> </body> </html>