Hello, Am Freitag, 18. Dezember 2015 schrieb daniel curtis: > I would like to ask about AppArmor profile and a system log files > such as, for example, /var/log/syslog etc. Let say, that I wrote a > profile for an application, which 'audit' entries in log files > contains something like this (of course, I omitted the whole > 'audit'): > > * requested_mask="c" denied_mask="c" > > I have to say, that it is "DENIED" action for 'mkdir' operation in > /home/user/.app/ directory. But that is not the point. So, what "c" > exactly means? If I would like to add a rule to the AppArmor > profile what should I use? I mean: 'r', 'w', 'x', or maybe 'l', 'k', > 'm'? Or maybe something completely different, like:
c means "create file/directory". For a directory, you'll need a rule like /the/directory/ w, For files, a (append) permissions might be enough, but depending on how the application opens the file, you might need the more permissive w. > * /usr/bin/xyz Cx -> sanitized_helper, > > Generally: what does "c" and "x" exactly means? (In AppArmor > audit messages). In conclusion: what rules should I use in an > application profile, if in log files there is, for example, 'audit' > messages like this one: > > 1/ operation="mkdir", requested_mask="c", denied_mask="c" See above. > 2/ operation="exec", requested_mask=x", denied_mask="x" That means executing another binary. Depending on what gets executed, you can choose ix (inherit = use the same profile), Cx (use a child profile), Px (use a standalone profile) or Ux (unconfined = execute without AppArmor restrictions). Hint: Avoid Px for things like /bin/bash ;-) > So, how a correct entries, in the profile, should look like? If in doubt, use aa-logprof - it will give you a matching proposal. Also have a look at man apparmor.d which explains all rule types and permissions. Finally, I can recommend my "AppArmor Crash Course". You can find (slightly outdated) slides at blog.cboltz.de (search for AppArmor). If slides aren't enough, check the DebConf15 video archives - I gave that talk there. Regards, Christian Boltz -- [CVS] Es gibt auch ein grafisches Frontend (nein, nicht das kranke Cervisia, beim Programieren war da wohl zuviel Cervessa im Spiel) [Gerald Goebel in fontlinge-devel] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor