[apparmor] understanding apparmor_parser debug output

Vincas Dargis Fri, 31 Mar 2017 14:49:49 -0700

Hi,

I'm on Kubuntu 16.04 with Apparmor 2.10.95-0ubuntu2.6 and Linux 
4.8.0-34-generic (HWE)


usr.bin.skype profile has such lines:

  deny @{HOME}/.fontconfig/ w,
  deny @{HOME}/.fontconfig/*.cache-*.TMP* w,

When I run:

apparmor_parser -Q -d  /etc/apparmor.d/usr.bin.skype

These lines are printed:

Mode:   wa:wa   Name:   ({/home//*,/root}/.fontconfig/)
Mode:   wa:wa   Name:   ({/home//*,/root}/.fontconfig/*.cache-*.TMP*)

I do not quite follow here. What these wa:wa means exactly? Looking at Wiki [0], it kinda seems like if I am owner ornot, I am allowed to write..? Though of course I expect not to be able to write due to "deny".


How to interpret these debug outputs, how do I audit apparmor profiles?

Thanks.

[0] http://wiki.apparmor.net/index.php/AppArmorMonitoring - "This listing shows the permissions granted when the userowns the resource (file, directory, pipe, etc.) and when the user does not own the resource."


--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] understanding apparmor_parser debug output

Reply via email to