Wiki

User Tools

Site Tools

Trace:
apparmor:create_an_apparmor_profile

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
apparmor:create_an_apparmor_profile [2019/11/24 16:35] peterapparmor:create_an_apparmor_profile [2019/11/25 22:23] (current) – removed peter
Line 1: Line 1:
-====== AppArmor - Create an AppArmor Profile ====== 
- 
-===== Design a test plan ===== 
- 
-Try to think about how the application should be exercised.  The test plan should be divided into small test cases.  Each test case should have a small description and list the steps to follow. 
- 
-Some standard test cases are: 
- 
-  * Starting the program. 
-  * Stopping the program. 
-  * Reloading the program. 
-  * Testing all the commands supported by the init script. 
- 
----- 
- 
-===== Generate the new profile ===== 
- 
-Use **aa-genprof** to generate a new profile.   
- 
-<code bash> 
-sudo aa-genprof executable 
-</code> 
- 
-For example: 
- 
-<code bash> 
-sudo aa-genprof slapd 
-</code> 
- 
-To get your new profile included in the **apparmor-profiles** package, file a bug in Launchpad against the [[https://bugs.launchpad.net/ubuntu/+source/apparmor/+filebug|AppArmor]] package: 
- 
-  * Include your test plan and test cases. 
-  * Attach your new profile to the bug. 
- 
----- 
- 
-===== Profiles ===== 
- 
-AppArmor profiles are simple text files located in **/etc/apparmor.d/**.  The files are named after the full path to the executable they profile replacing the "/" with "." For example /etc/apparmor.d/bin.ping is the AppArmor profile for the /bin/ping command. 
- 
-There are two main type of rules used in profiles: 
- 
-  * **Path entries**: which detail which files an application can access in the file system. 
-  * **Capability entries**: determine what privileges a confined process is allowed to use. 
- 
-As an example take a look at /etc/apparmor.d/bin.ping: 
- 
-<file bash /etc/apparmor.d/bin.ping> 
-#include <tunables/global> 
-/bin/ping flags=(complain) { 
-  #include <abstractions/base> 
-  #include <abstractions/consoles> 
-  #include <abstractions/nameservice> 
- 
-  capability net_raw, 
-  capability setuid, 
-  network inet raw, 
-   
-  /bin/ping mixr, 
-  /etc/modules.conf r, 
-} 
-</file> 
- 
- 
-  * #include <tunables/global>: include statements from other files. This allows statements pertaining to multiple applications to be placed in a common file. 
- 
-  * /bin/ping flags=(complain): path to the profiled program, also setting the mode to complain. 
- 
-  * capability net_raw,: allows the application access to the CAP_NET_RAW Posix.1e capability. 
- 
-  * /bin/ping mixr,: allows the application read and execute access to the file. 
- 
  
apparmor/create_an_apparmor_profile.1574613318.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki