Now let’s try running certspotter again: $ certspotter We are going to take the easy route to develop this profile and use the aa-logprof tool to evaluate the log entries that AppArmor makes in complain mode, so let’s set the AppArmor profile for certspotter to complain mode for this policy so that we can see what is happening. Will show any AppArmor denials within the last day. For example, $ /usr/bin/aa-notify -s 1 -v aa-notify is a very simple program that will report any new AppArmor denials by consulting /var/log/syslog (or /var/log/audit/audit.log if auditd is installed). You can avoid this by installing auditd or by adjusting rate limiting in the kernel: $ sudo sysctl -w kernel.printk_ratelimit=0Īnother way to to view AppArmor denials is by using the aa-notify tool. The kernel will rate limit AppArmor denials which can cause problems while profiling. AppArmor Denials and Complain ModeĪppArmor denials are logged to /var/log/syslog (or /var/log/audit/audit.log for non-DBus policy violations if auditd is installed). This basic profile doesn’t allow certspotter access to resources it needs, so let’s look at the AppArmor denial messages to see what went wrong. $ certspotterĬertspotter: /home/testuser/.certspotter/watchlist: open /home/testuser/.certspotter/watchlist permission denied Trying to run certspotter, results in an immediate (safe) crash. $ sudo mv /etc/apparmor.dĪnd then load the profile into the kernel: $ sudo apparmor_parser -r /etc/apparmor.d/ Looks pretty basic, so let’s write that output into the profile file (the name of the file can be anything it is the contents of the file which matter): $ aa-easyprof /usr/bin/certspotter > We’ll use aa-easyprof to generate the skeleton policy let’s see what it generates (be sure to specify the absolute path to the application): $ aa-easyprof /usr/bin/certspotter The easiest way to get started is to create a skeleton profile, set AppArmor to complain mode for your target and then use the aa-logprof tool to evaluate the denials.
Opera profile creator download install#
To get started, let’s install some useful AppArmor utilities and the application that we want to confine: sudo apt install apparmor-easyprof apparmor-notify apparmor-utils certspotter include files are supported to ease development and simplify profiles (ie #include, #include, #include ).variables (eg can be defined and manipulated outside the profile ( #include for and explicit deny rules are supported to override allow rules (eg access to is denied with auditing due to audit deny mrwkl, even though general access to is permitted with rw,).Other file access rules also exist such as ‘Px’ (execute under another profile, after cleaning the environment), ‘Cx’ (execute under a child profile, after cleaning the environment), and ‘Ux’ (execute unconfined, after cleaning the environment). Most file access rules specify the type of access which is allowed: ‘r’ (read), ‘w’ (write), ‘m’ (memory map as executable), ‘k’ (file locking), ‘l’ (creation hard links), and ‘ix’ to execute another program with the new program inheriting policy. Absolute paths as well as file globbing can be used when specifying file access. Introduction to AppArmor ProfilesĪppArmor profiles are simple text files.