3. sudo aa-genprof /tmp/foo.sh
Writing updated profile for /tmp/foo.sh.
Setting /tmp/foo.sh to complain mode.
...
[(S)can system log for AppArmor events] / (F)inish
(press 'f' (ie, don't run /tmp/foo.sh in another terminal or anything)
Reloaded AppArmor profiles in enforce mode.
...
Finished generating profile for /tmp/foo.sh.
4. verify it is loaded
$ sudo aa-status|grep foo
/tmp/foo.sh
5. run the script:
$ /tmp/foo.sh
/bin/sh: Can't open /tmp/foo.sh
6. run aa-logprof
$ sudo aa-logprof
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Enforce-mode changes:
Profile: /tmp/foo1.sh
Path: /tmp/foo1.sh
Mode: r
Severity: unknown
[1 - /tmp/foo1.sh]
(press 'a')
= Changed Local Profiles =
The following local profiles were changed. Would you like to save them?
8. Verify the profile was updated:
$ $ cat /etc/apparmor.d/tmp.foo1.sh
# Last Modified: Mon Mar 26 13:40:50 2012
#include <tunables/global>
/tmp/foo.sh {
#include <abstractions/base>
/bin/dash ix,
/tmp/foo.sh r,
}
9. Run the script:
$ /tmp/foo1.sh
/tmp/foo1.sh: 2: cat: Permission denied
/tmp/foo1.sh: 3: grep: Permission denied
10. run aa-logprof:
$ sudo aa-logprof
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
(notice I wasn't prompted).
11. Run the script:
$ /tmp/foo1.sh
/tmp/foo1.sh: 2: cat: Permission denied
/tmp/foo1.sh: 3: grep: Permission denied
I'm not sure what this is as I did see it work a couple of time. I think this might be a timestamp checking issue. If I went slowly between running aa-genprof and aa-logprof it would work. If I went more quickly, it would not. This is not a result of kernel rate limiting, because I have entries in dmesg for the cat and grep denials.
1. Create /tmp/foo.sh:
#!/bin/sh
cat /etc/fstab
grep root /etc/passwd
2. chmod 755 /tmp/foo.sh
3. sudo aa-genprof /tmp/foo.sh
Writing updated profile for /tmp/foo.sh.
Setting /tmp/foo.sh to complain mode.
...
[(S)can system log for AppArmor events] / (F)inish
(press 'f' (ie, don't run /tmp/foo.sh in another terminal or anything)
Reloaded AppArmor profiles in enforce mode.
...
Finished generating profile for /tmp/foo.sh.
4. verify it is loaded
$ sudo aa-status|grep foo
/tmp/foo.sh
5. run the script:
$ /tmp/foo.sh
/bin/sh: Can't open /tmp/foo.sh
6. run aa-logprof
$ sudo aa-logprof
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Enforce-mode changes:
Profile: /tmp/foo1.sh
Path: /tmp/foo1.sh
Mode: r
Severity: unknown
[1 - /tmp/foo1.sh]
(press 'a')
= Changed Local Profiles =
The following local profiles were changed. Would you like to save them?
[1 - /tmp/foo1.sh]
(S)ave Changes / [(V)iew Changes] / Abo(r)t
(press 's')
Writing updated profile for /tmp/foo1.sh.
8. Verify the profile was updated: d/tmp.foo1. sh
$ $ cat /etc/apparmor.
# Last Modified: Mon Mar 26 13:40:50 2012
#include <tunables/global>
/tmp/foo.sh {
#include <abstractions/base>
/bin/dash ix,
/tmp/foo.sh r,
}
9. Run the script:
$ /tmp/foo1.sh
/tmp/foo1.sh: 2: cat: Permission denied
/tmp/foo1.sh: 3: grep: Permission denied
10. run aa-logprof:
$ sudo aa-logprof
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
(notice I wasn't prompted).
11. Run the script:
$ /tmp/foo1.sh
/tmp/foo1.sh: 2: cat: Permission denied
/tmp/foo1.sh: 3: grep: Permission denied
I'm not sure what this is as I did see it work a couple of time. I think this might be a timestamp checking issue. If I went slowly between running aa-genprof and aa-logprof it would work. If I went more quickly, it would not. This is not a result of kernel rate limiting, because I have entries in dmesg for the cat and grep denials.