[apparmor] consult about profile complain
John Johansen
john.johansen at canonical.com
Wed Nov 15 18:40:36 UTC 2023
On 11/15/23 06:24, David Pilnik wrote:
> Hi,
>
> I’m doing some research to see if apparmor match some use cases of some processes.
> And after running with complain mode, I see in aa-status the prints below which contain “/null-/”, is this some kind of error?
it is not. Though currently it is not as flexible as we would like it to be.
> I didn’t manage to find some documentation about it, can you help?
>
surprisingly, for something that has been around for as long as I can remember
(aka it predates me), there is minimal documentation, so I have started
https://gitlab.com/apparmor/apparmor/-/wikis/Complain-Mode
it is very much a wip, feel free to ask for clarifications, it will help guide
where the document needs improvement.
in addition there are some existing links, that at least make a mention of it
in passing.
https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorProfileSpec#special-prefixes
https://gitlab.com/apparmor/apparmor/-/wikis/Kernel_Feature_Matrix
https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.4
https://gitlab.com/apparmor/apparmor/-/wikis/manpage_aa-remove-unknown.8
https://gitlab.com/apparmor/apparmor/-/wikis/manpage_aa-logprof.8
> aa-status example:
>
> 22 profiles are in complain mode.
>
> /usr/bin/<my process> //null-/usr/bin/basename
>
> /usr/bin//<my process> //null-/usr/bin/dash
>
> /usr/bin//<my process> //null-/usr/bin/dash//null-/usr/bin/sed
>
> /usr/bin//<my process> //null-/usr/bin/mv
>
> Thanks
>
> David
>
More information about the AppArmor
mailing list