subject:"Re\: \[apparmor\] Minimal apparmor profile"

Re: [apparmor] Minimal apparmor profile

2011-12-09 Thread Seth Arnold

We (used to?) ship a tool 'autodep' (perhaps renamed aa-autodep?) that would 
parse the output of ldd on a binary and spit out a profile for the application, 
ensuring the libraries were covered.

You can replace a single profile with apparmor_parser --reload 
/etc/apparmor.d/path.to.profile. I like using vim's % to represent a file name 
and run this while editing a profile. Be sure to :w the file first:

:!apparmor_parser --reload %

-Original Message-
From: Alex Coventry throwa...@mit.edu
Sender: apparmor-boun...@lists.ubuntu.com
Date: Fri, 09 Dec 2011 13:11:41 
To: apparmor@lists.ubuntu.com
Subject: [apparmor] Minimal apparmor profile


Hi, does anyone have the minimal profile necessary to allow a
gcc-compiled hello-world program to run on ubuntu?  

Alternatively, is there a quick way to reload a single profile, without
restarting apparmor?  It would be pretty easy to figure the minimal
ruleset out by sucessively trimming entries from abstractions/base,
given that.

Also, is there an apparmor rule allowing the prctl syscall?

Best regards,
Alex

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor
-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] Minimal apparmor profile

2011-12-09 Thread Kees Cook

Hi Alex,

On Fri, Dec 09, 2011 at 01:11:41PM -0500, Alex Coventry wrote:
 Hi, does anyone have the minimal profile necessary to allow a
 gcc-compiled hello-world program to run on ubuntu?  

It seems you've already found this, but I'd start with:

/path/to/hello {
  #include abstractions/base
}

All that is really needed for hello-world is the loader and libc, though.

 Alternatively, is there a quick way to reload a single profile, without
 restarting apparmor?  It would be pretty easy to figure the minimal
 ruleset out by sucessively trimming entries from abstractions/base,
 given that.

sudo apparmor_parser -r /etc/apparmor.d/name.of.profile.file

 Also, is there an apparmor rule allowing the prctl syscall?

prctl() is not mediated by apparmor.

-Kees

-- 
Kees Cook

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] Minimal apparmor profile

Re: [apparmor] Minimal apparmor profile

2 matches

Site Navigation

Mail list logo

Footer information