idiomatic way to get aa-complain and aa-genprof installed in a snappy development environment
Jamie Strandboge
jamie at canonical.com
Mon Mar 23 17:19:38 UTC 2015
On 03/22/2015 04:57 AM, Jon Seymour wrote:
> Being somewhat new to the whole crafting of apparmor profiles gig, I am thinking
> I would find the tools 'aa-complain' and 'aa-genprof' to be extremely useful.
>
> I tried downloading the .deb packages and installing them into /tmp but the
> tools don't execute properly when installed this way. I can't install them in
> the root file system because the root file system is readonly and I suspect that
> I'll destroy some important invariant if I do.
>
> So, what is the idiomatic ways to get these tools installed into a snappy
> development system to make the whole apparmor profile generation task more
> pleasant than it currently is?
>
For _apps_, the goal of the system is that you don't need to understand/use the
low level apparmor syntax/tools and instead focus on simply choosing the right
security-template and caps to use[1]. For snappy currently, that is either the
default or the unconfined template and using the 'networking' cap currently. If
this is not working for people, please file bugs and we'll get it fixed up.
Knowledge of the lowlevel apparmor policy is therefore typically only needed by
framework policy authors (see the recent RFC on frameworks to this list) and as
you've found out, the apparmor-utils are not installed by default. However, even
if they were installed, the tools do not currently support systems using only
the systemd journal (ie, systems without /var/log/syslog, like ubuntu-core
currently)[1].
Until the tools can be made readily available (eg, as part of 'comfy') I suggest
looking at the following for profiling by hand (it isn't usually too hard-- you
can also ask any questions in #apparmor on OFTC or #ubuntu-hardened/#snappy on
Freenode):
* http://wiki.apparmor.net/index.php/Profiling_by_hand
* man 5 apparmor.d
[1]https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement#Native_snap_format
[2]https://bugs.launchpad.net/apparmor/+bug/1435440
--
Jamie Strandboge http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/snappy-devel/attachments/20150323/7de77bf3/attachment.pgp>
More information about the snappy-devel
mailing list