[apparmor] Apparmor: Queries

Murali Selvaraj murali.selvaraj2003 at gmail.com
Sun Apr 4 19:39:02 UTC 2021 

Hi John/Seth,

Thanks John/Seth for your detailed information.

Can you please clarify the below queries.

Query 1:

-> From the aa-log-prof, we are able to generate an apparmor profile
for the required process. In order to confirm the profile(by
theoretically)
   if we compare cat /proc/<pid>/maps | grep -i lib this output will
it be sufficient or any possibility of the libraries may
   not be in this entry cat /proc/<pid>/maps?

-> Like a library, do we have any other way to find the list of
configuration, temporary files using by process can be identified
   by simple tools or from any /proc entries like above? This is just
to confirm about our profile.

Query 2:

-> For example, one of my process is running in "non-root" owner which
has read/write access to /proc/<test>/<test_2>/
   While generate profile for this process, Do I need to add this
entry /proc/<test>/<test_2>/* rw, Or without adding this entry
   will it able to do read/write operation /proc/<test>/<test_2>/?

Query 3:

Can you please explain the difference for the below entries in the
apparmor profile?

/tmp/lock_file rw,
/tmp/lock_file rwc,

/tmp/test.css ww,
/tmp/test.css w

/tmp/initialized rww,
/tmp/initialized rw,

/tmp/driver krw,
/tmp/driver rw,


Query 4:

By default, while device boots apparmor profiles are loaded to Kernel
and the corresponding process read from the profile during the process
execution,
-> As per our code, the process kills/crashes by unknown reason; we
have a mechanism to restart by itself.
 In that case, during the process restart, will it start as per
profile or without profile?


Query 5:

I would like to understand the reason for below DENIED logs, what does
it really expect?
Do I need to add the entry like /tmp/test c or /tmp/test rw or
/tmp/test rwk? Pls share the difference for each mentioned
possibility?

2021 Apr 04 17:35:05 admin kernel: audit: type=1400
audit(1617557705.711:207): apparmor="DENIED" operation="mknod"
profile="example" name="/tmp/test" pid=11410 comm="application"
requested_mask="c" denied_mask="c" fsuid=0 ouid=0

What is really this log expecting?

Thanks
Murali.S

More information about the AppArmor mailing list