This profile is an example of how to handle multiple profiles in one file. If you were trying to restrict mod_perl, mod_php, mod_python, and other Apache modules it would probably get a little weird. To make things a little easier (or harder?) for that, you could find mod_change_hat (which isn't in the Ubuntu repos) and use that. It will allow you to have a sub-profile for each script and a default sub-profile for scripts that don't match an existing sub-profile.
ty for your reply,
Quick technical question.
I have a private ftp (proftpd), If i can make a profile to succefully connect locally (ip 127.0.1.1), can i assume web request to be allowed too?
I don't have access to another web connection, therefore i can't try it from external source.
If your profile allows you to connect from localhost, you can safely assume that your AppArmor profile won't prevent other incoming connections. AppArmor can't restrict IP addresses, it can only allow or deny TCP and/or UDP connections for IPv4 and/or IPv6. Doesn't mean your firewall won't be restricting anything though, so be sure to check that, and also check port forwarding on your router (if applicable).
i am not going to allow some files. but apparmor writes messages to syslog not stopping, continuously, near 3 messages per second in syslog and messgages. how to stop it? apparmor must have such ability, because this is its main target, goal - to block up programs, it is normal, so it should not write so many to log files.
AppArmor writes one message per access attempt. So if you write a profile for /usr/bin/myprogram that does not allow access to /etc/shadow and /usr/bin/myprogram makes 10 attempts per second to access /etc/shadow, you will get approximately 10 messages per second in your log saying that access was denied.
Anyone tried to profile the latest Firefox-3.0.11? I am not having any luck as there appears to be something wrong with how AppArmor is parsing logs. If I do
and then attempt to "Scan" for changes (after I run firefox for a while), it will find some of the denial log messages but not all of them. Once I click on "Finished" and firefox goes into enforce mode, it won't open if I try to restart it. Thereafter, I ran:Code:
sudo aa-genprof firefox
but it finds no log messages. However, there is a "null-complain-profile" that is still listed in complain mode. ps -A shows this as being firefox. So, what's the deal with these null-profiles and how does one integrate them with an existing firefox profile?Code:
Also, firefox is asking for dac_overide capabilities. It should not need this!
I saw that there were some bugs filed about AppArmor (in Jaunty) not parsing error logs properly. Some people on launchpad said that installing autid.d helped them. It doesn't work for me -- I'm still getting this strange behavior.
Or maybe I am just not doing it right?
I'll be profiling the latest Firefox later today. I can't imagine why it's asking for dac_override, but then again I still haven't figured out why it wants to read ~/.rsynclist (a file I created myself for one of my scripts) or why it's looking for a lot of things in /proc/ that aren't related to it...
I'll be starting from my current profile, which is posted here. I'll be removing a lot of stuff and trying to re-integrate the file-roller profile back into Firefox, so I'll be sure to post the result here once I'm done.
If it helps , my profile is here
All I changed was the version from "10" to "!!"
Have not looked at logs ..