Results 1 to 6 of 6

Thread: AppArmor not working as expected

  1. #1

    Default AppArmor not working as expected

    I am a Linux newbie, however, I was experimenting today with creating profiles for some applications. I have watched some YouTube videos on how to work it, and I have stumbled upon a few things that didn't work as expected.

    1- First problem I faced is that "aa-genprof" wasn't working as advertized.

    I have tried to create a profile for KTorrent as follows:

    Code:
    sudo aa-genprof ktorrent
    Then I ran KTorrent, to populate the logs. Then I started using the "Scan" functionality. It didn't catch any events/logs, even though manually reading the logs at "/var/logs/audit/audit.log" was populating events.

    So, what I had to do is "Finish", then manually using:

    Code:
    sudo aa-complain ktorrent
    sudo aa-logprof -f /var/logs/audit/audit.log
    Which worked as expected.

    Could someone help me find out why my (default) installation of AppArmor is not running as expected?

    2- Second problem I faced is using the Firefox profile found in "/usr/share/apparmor/extra-profiles/usr.lib.firefox.firefox".

    First of all, the Firefox binary is located at "/usr/lib64/firefox/firefox" NOT "/usr/lib/firefox/firefox". So, I had to manually fix the profile as follows:

    Code:
    su -c "cat /usr/share/apparmor/extra-profiles/usr.lib.firefox.firefox | sed 's#/usr/lib/#/usr/lib{,64}/#' > /etc/apparmor.d/usr.lib64.firefox.firefox"
    Which effectively modifies the file such that it accepts both "lib" and "lib64" in the directory path. However, when running "sudo aa-complain /usr/lib64/firefox/firefox", I get the following error message:

    Setting /usr/lib64/firefox/firefox to complain mode.

    ERROR: /etc/apparmor.d/usr.lib64.firefox.firefox contains no profile
    Even though "cat /etc/apparmor.d/usr.lib64.firefox.firefox" shows expected file contents. [link]

    What gives?

  2. #2
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,499
    Blog Entries
    2

    Default Re: AppArmor not working as expected

    Quote Originally Posted by zaidgs View Post

    2- Second problem I faced is using the Firefox profile found in "/usr/share/apparmor/extra-profiles/usr.lib.firefox.firefox".

    First of all, the Firefox binary is located at "/usr/lib64/firefox/firefox" NOT "/usr/lib/firefox/firefox". So, I had to manually fix the profile as follows:

    Code:
    su -c "cat /usr/share/apparmor/extra-profiles/usr.lib.firefox.firefox | sed 's#/usr/lib/#/usr/lib{,64}/#' > /etc/apparmor.d/usr.lib64.firefox.firefox"
    Which effectively modifies the file such that it accepts both "lib" and "lib64" in the directory path. However, when running "sudo aa-complain /usr/lib64/firefox/firefox", I get the following error message:



    Even though "cat /etc/apparmor.d/usr.lib64.firefox.firefox" shows expected file contents. [link]

    What gives?
    Looks like a typo, if it's not your posting then it's probably the cause of your error

    Note the period instead of slash for "/usr."
    /etc/apparmor.d/usr.lib64.firefox.firefox
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  3. #3

    Default Re: AppArmor not working as expected

    Quote Originally Posted by tsu2 View Post
    Looks like a typo, if it's not your posting then it's probably the cause of your error

    Note the period instead of slash for "/usr."


    TSU
    No, it is not a typo. This is a file named "usr.lib64.firefox.firefox" under "/etc/apparmor.d".

    It is a convention to name the file based on the path of the executable that the profile is for, and replacing slashes with dots.

  4. #4
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,499
    Blog Entries
    2

    Default Re: AppArmor not working as expected

    Right.

    For someone to follow in your exact steps and to re-produce what you see,
    You need to post exactly the commands you use, not a description like "scan"

    Been awhile since I've tried to create a custom AppArmor rule, but your overall description and approach looks right, IIRC.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  5. #5

    Default Re: AppArmor not working as expected

    Quote Originally Posted by tsu2 View Post
    For someone to follow in your exact steps and to re-produce what you see,
    You need to post exactly the commands you use, not a description like "scan"
    Actually, the original post lists the complete commands. The "scan" functionality is an option presented in the interactive UI of the aa-genprof command.

    The way aa-genprof is supposed to work, is that you run a command like "sudo aa-genprof ktorrent", then open a new ktorrent process that will be monitored by apparmor, and generate access violation logs. After running ktorrent for a while, you go back to the aa-genprof screen, and press "S", which activates the scanning of the logs, and it then starts suggesting rules based on those logs.

  6. #6

    Default Re: AppArmor not working as expected

    On my machine, aa-genprof does not do anything when asked to scan the logs. I have to use another tool called aa-logprof. Both tools are supposed to be able to generate rules from logs. aa-genprof should generate these rules as part of the initial setup, and the aa-logprof is supposed to be used after the initial profile has been created.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •