On 03/31/2017 02:48 PM, Vincas Dargis wrote:
> Hi,
>
> I'm on Kubuntu 16.04 with Apparmor 2.10.95-0ubuntu2.6 and Linux
> 4.8.0-34-generic (HWE)
>
> usr.bin.skype profile has such lines:
>
> deny @{HOME}/.fontconfig/ w,
> deny @{HOME}/.fontconfig/*.cache-*.TMP* w,
>
> When I run:
>
> apparmor_parser -Q -d /etc/apparmor.d/usr.bin.skype
>
> These lines are printed:
>
> Mode: wa:wa Name: ({/home//*,/root}/.fontconfig/)
> Mode: wa:wa Name: ({/home//*,/root}/.fontconfig/*.cache-*.TMP*)
>
> I do not quite follow here. What these wa:wa means exactly? Looking at Wiki
> [0], it kinda seems like if I am owner or not, I am allowed to write..?
> Though of course I expect not to be able to write due to "deny".
>
its showing the internal permissions that the w is mapping to. That is w is
being converted to both write and appaend internally. This due to how
permissions get tested. The colon is used to represent user:!user, which is
again just an internal mapping detail and could change in the future. The
denied info is stored as a separate flag, and I would say it is a bug that
debug is not outputing it.
> How to interpret these debug outputs, how do I audit apparmor profiles?
>
Auditing apparmor profiles is unfortunately a lot harder than it should be atm.
I tend to use apparmor_parser -p, to get a flattened view of the profile with
all the vars etc in one place, but this currently can lead to a lot of
duplication. Depending on what I am looking at I use some of the dump flags as
well
--help=D will provide a list of what the parser supports. This list can change,
it is not considered as stable api, hence it not being documented in the man
pages.
the one that would probably interest you is
[no-]rule-exprs Dump rule to expr tree conversions
which will dump out information about rule conversions
it will dump a whole bunch of stuff like
aare: /proc/stat -> /proc/stat
rule: /proc/stat -> /proc/stat (0x10004/0)< 0x10004>
however this requires you to know even more of the internals and may not be
useful, depending on what you are doing
Overall, I would say auditing profiles is far to hard at the moment and we need
some lint, and auditing tools to help with the process
> Thanks.
>
> [0] http://wiki.apparmor.net/index.php/AppArmorMonitoring - "This listing
> shows the permissions granted when the user owns the resource (file,
> directory, pipe, etc.) and when the user does not own the resource."
>
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
