AppArmor not working as expected

English Applications
#1

I am a Linux newbie, however, I was experimenting today with creating profiles for some applications. I have watched some YouTube videos on how to work it, and I have stumbled upon a few things that didn’t work as expected.

1- First problem I faced is that “aa-genprof” wasn’t working as advertized.

I have tried to create a profile for KTorrent as follows:

sudo aa-genprof ktorrent

Then I ran KTorrent, to populate the logs. Then I started using the “Scan” functionality. It didn’t catch any events/logs, even though manually reading the logs at “/var/logs/audit/audit.log” was populating events.

So, what I had to do is “Finish”, then manually using:

sudo aa-complain ktorrent
sudo aa-logprof -f /var/logs/audit/audit.log

Which worked as expected.

Could someone help me find out why my (default) installation of AppArmor is not running as expected?

2- Second problem I faced is using the Firefox profile found in “/usr/share/apparmor/extra-profiles/usr.lib.firefox.firefox”.

First of all, the Firefox binary is located at “/usr/lib64/firefox/firefox” NOT “/usr/lib/firefox/firefox”. So, I had to manually fix the profile as follows:

su -c "cat /usr/share/apparmor/extra-profiles/usr.lib.firefox.firefox | sed 's#/usr/lib/#/usr/lib{,64}/#' > /etc/apparmor.d/usr.lib64.firefox.firefox"

Which effectively modifies the file such that it accepts both “lib” and “lib64” in the directory path. However, when running “sudo aa-complain /usr/lib64/firefox/firefox”, I get the following error message:

Setting /usr/lib64/firefox/firefox to complain mode.

ERROR: /etc/apparmor.d/usr.lib64.firefox.firefox contains no profile

Even though “cat /etc/apparmor.d/usr.lib64.firefox.firefox” shows expected file contents. link]

What gives?

#2

Looks like a typo, if it’s not your posting then it’s probably the cause of your error

Note the period instead of slash for “/usr.”

/etc/apparmor.d/usr.lib64.firefox.firefox

TSU

#3

No, it is not a typo. This is a file named “usr.lib64.firefox.firefox” under “/etc/apparmor.d”.

It is a convention to name the file based on the path of the executable that the profile is for, and replacing slashes with dots.

#4

Right.

For someone to follow in your exact steps and to re-produce what you see,
You need to post exactly the commands you use, not a description like “scan”

Been awhile since I’ve tried to create a custom AppArmor rule, but your overall description and approach looks right, IIRC.

TSU

#5

Actually, the original post lists the complete commands. The “scan” functionality is an option presented in the interactive UI of the aa-genprof command.

The way aa-genprof is supposed to work, is that you run a command like “sudo aa-genprof ktorrent”, then open a new ktorrent process that will be monitored by apparmor, and generate access violation logs. After running ktorrent for a while, you go back to the aa-genprof screen, and press “S”, which activates the scanning of the logs, and it then starts suggesting rules based on those logs.

#6

On my machine, aa-genprof does not do anything when asked to scan the logs. I have to use another tool called aa-logprof. Both tools are supposed to be able to generate rules from logs. aa-genprof should generate these rules as part of the initial setup, and the aa-logprof is supposed to be used after the initial profile has been created.