[apparmor] debugging aa_change_profile
Seth Arnold
seth.arnold at gmail.com
Thu Apr 26 18:27:57 UTC 2012
Something was nagging me and I just figured out what I overlooked -- your "testprofile" here is actually named "/usr/bin/R//testprofile". Make sure you're using the right name to the aa_change_profile() call.
-----Original Message-----
From: Jeroen Ooms <jeroen.ooms at stat.ucla.edu>
Sender: apparmor-bounces at lists.ubuntu.com
Date: Thu, 26 Apr 2012 09:52:32
To: <apparmor at lists.ubuntu.com>
Subject: [apparmor] debugging aa_change_profile
I wrote a wrapper to aa_change_profile for R. I got it to work to the
point where it returns 0 and when I call it a line appears in
/var/log/kern.log like this:
Apr 26 09:45:35 jeroen-ubuntu kernel: [51380.859505] type=1400
audit(1335458735.939:91): apparmor="ALLOWED"
operation="change_profile" parent=25782 profile="/usr/bin/R" pid=25839
comm="R" target=303B9901
However, the permissions do not actually seem to change. I don't think
it has actually applied a new profile. Also I noted that regardless of
what profile name I pass as the argument, it always succeeds, even
when there is no such profile.
The contents of /etc/apparmor.d/usr.bin.r are pasted below. To test I
am trying to switch to 'testprofile' and read /etc/passwd.
#include <tunables/global>
/usr/bin/R flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability kill,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_tty_config,
/ rw,
/** mrwlkix,
profile testprofile {
#include <abstractions/base>
#include <abstractions/nameservice>
deny /boot/** rwx,
deny /etc/passwd rwx,
capability kill,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_tty_config,
/ rw,
/** mrwlkix,
}
}
--
AppArmor mailing list
AppArmor at lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
More information about the AppArmor
mailing list