[apparmor] Apparmor : Common Query
Murali Selvaraj
murali.selvaraj2003 at gmail.com
Fri Sep 23 03:57:59 UTC 2022
Thanks Seth
On Thu, Sep 22, 2022, 8:21 PM Seth Arnold <seth.arnold at canonical.com> wrote:
> On Thu, Sep 22, 2022 at 07:16:32PM -0400, Murali Selvaraj wrote:
> > -> How do we approach preparing an Apparmor profile for a shell script as
> > the first time I am doing this.
> > -> As our embedded device like legacy and many scripts internally invokes
> > few other scripts based on the different scenarios.
> > -> In such cases, do we have any suggestion to generate an Apparmor
> profile
> > for shell script or any example in our earlier forum queries (If
> possible,
> > please share here as I could not find it).
>
> What will execute your shell script? is it already confined? How you start
> to write the profile depends upon how the script is executed.
>
> The easiest is to use complain mode and the interactive tools to get most
> of the way there. This can work great if the script is launched via a
> systemd service, or by a daemon that accepts on-demand commands to run
> it, etc. If it's run via sysv-init or other unusual process supervisor
> system it might be a challenge to get the execution environment close
> to production use.
>
> If it's run by a systemd service, something like the following might work:
>
> in one terminal:
> sudo aa-genprof /path/to/shell/script.sh
>
> in another terminal:
> sudo systemctl start servicename
> sudo systemctl stop servicename
>
> return to the first terminal and answer the questions.
>
> Then repeat the start process, interact with whatever service it provides
> a little bit, then stop it again, and then answer more genprof questions.
>
> Hopefully you can iterate to something that's pretty close to final
> quality this way.
>
> If your script isn't started via a 'clean' process supervisor like
> systemd, you may need to write a complain mode profile by hand, reboot,
> use aa-logprof to get questions / answers; and repeat via repeated
> reboots.
>
> I hope this helps.
>
> Thanks
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20220922/41013d9f/attachment.html>
More information about the AppArmor
mailing list