[NEED TESTING] AppArmor notifications via apparmor-notify

Jamie Strandboge jamie at canonical.com
Fri Apr 2 22:26:30 BST 2010


AppArmor now has a little notify-osd program called apparmor-notify to
give visual notifications when it notices AppArmor denials. It would be
great if developers or interested users could install the
apparmor-notify package from universe their desktops and report any
denials by following the wiki[1]. By default, apparmor-notify will
display notifications on your desktop if you are in the 'admin' group
and can read the /var/log/kern.log file (auditd users need to
update /etc/X11/Xsession.d/90apparmor-notify and add an appropriate
entry to /etc/sudoers). With a little effort, you should be able to use
apparmor-notify on console login or byobu. For more information, see
'man 8 aa-notify'.

For extra points, if you are a firefox user, you can also enable the
firefox AppArmor profile by performing:
$ sudo aa-enforce /etc/apparmor.d/usr.bin.firefox

then restart firefox and use it normally. To disable the firefox profile
again, simply:
$ sudo ln -s /etc/apparmor.d/usr.bin.firefox /etc/apparmor.d/disable/usr.bin.firefox
$ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.firefox

We have quite a few profiles in the default install and popular
packages. Since Lucid is mostly stabilized by this point, now is a great
time to make sure that the profiles are in order.

Thanks for your help on this! :)

[1] https://wiki.ubuntu.com/DebuggingApparmor
[2] https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles

Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20100402/4684ee86/attachment.pgp 

More information about the ubuntu-devel mailing list