Profiles
What they can control
File access
Exec
Capabilities
Network
UNIX sockets
Mount
mount / remount / unmount
pivot_root
Signals
Dbus
prtrace
rlimits
Text files
Compiled and installed with apparmor_parser.
Skeleton profiles
Default empty profiles to start with.
Generated with
aa-easyproffor a given application.
Comments
Global variables
Base abstractions
Syntax
Variables
@{var_name}@{var_name}=...Variable assignment
@{var_name}Variable value
Defined internally
Preconfigured
/etc/apparmor.d/tunables
Automatic
@{profile_name}
Includes
Include filename
Or #include filename
CPP like
Filenames
include "/absolute_path"
include "relative_path"
include <magic_path>
From
/etc/apparmor.dby default
Existing includes
Abstractions
include <abstractions/...>
Minimum, harmless access to fundamental resources.
Variable definitions.
include <tunable/...>
Feature ABI
Application Binary Interface.
abi filename
Absolute, relative or magic.
The file contains the feature set used in the profile.
Currently <abi/3.0>
Already included in <abstractions/base>
This is used to adjust kernel features to the profiles' use of features.
Filename wildcards
/dir_path/*All files in the directory
/dir_path
/dir_path/*/All directories in the directory
/dir_path
/dir_path/**All files and directories under the directory
/dir_path
/dir_path/**/All directories under the directory
/dir_path
File permissions
r: read
w: write
a: append
Cannot truncate
m: memory map
Useful for shared libraries
l: link
Add a name to an existing file
k: lock
File access synchronization.
Last updated