To start off, here's a few questions that have already been asked:
Can I have one application use different AppArmor profiles?
Yes, but not easily. You need to make a hard link from the program to a second name for the program. This is because AppArmor enforces profiles by paths. So let's say for example that you have /usr/bin/myprogram that you want to apply two different AppArmor profiles to. Create an AppArmor profile for /usr/bin/myprogram. Then, make a hard link for the path to use in the second application:
Code:
sudo ln /usr/bin/myprogram /usr/bin/myprogram2
Now, create your second AppArmor profile, but instead of /usr/bin/myprogram usr /usr/bin/myprogram2. Once that's done, you can run myprogram to have it use the first profile, or you can run myprogram2 to have it use the second profile.
What is the difference between r::, ::x, etc. in the log?
These are the permissions the program is asking for. The colons split the permissions up into user permissions, group permissions, and "other" (neither user nor group) permissions. So r:: means the program is asking for user read permissions. If you see :w:, that means the program wants group write permissions. ::x means "other" execute permissions. Note that when you're giving execute permissions, you can't just give x - you have to give Px, Ux, or ix. More on those later.
What is the difference between "requested mask" and "denied mask"?
Requested mask is what the program is asking for. This may be something like rmx::. The "m" permission means it wants permission to use mmap(2) on the executable. Denied mask is what the program isn't getting. Given the previous requested mask, if the denied mask were to be mx:: that would mean that the AppArmor profile allows read permissions, but it does not allow map or execute permissions. Before blindly giving those permissions, however, you should decide whether they're reqlly needed. If you're not certain, you can always ask here.
What's the difference between ix, ux, Px, etc.?
AppArmor provides 5 permission flags for execute permissions:
- ux - Unconfined execute
- Ux - Unconfined execute, scrub the environment
- px - execute with a profile written for the application
- Px - execute with a profile written for the application, scrub the environment
- ix - execute using the existing profile
In general, you should never use ux or Ux - that removes AppArmor protection for the executed program! Instead, use Px (or px) if the application being executed has its own profile, or ix if not.
More again later!
Bookmarks