Profiles

What they can control

File access
Exec
Capabilities
Network
UNIX sockets
Mount
- mount / remount / unmount
- pivot_root
Signals
Dbus
prtrace
rlimits

Text files

Compiled and installed with apparmor_parser.

Skeleton profiles

Default empty profiles to start with.
Generated with aa-easyprof for a given application.

# vim:syntax=apparmor
# AppArmor policy for apparmor_parser
# ###AUTHOR###
# ###COPYRIGHT###
# ###COMMENT###

#include <tunables/global>

# No template variables specified

"/usr/bin/apparmor_parser" {
 #include <abstraction/base>
 
 # No abstractions specified
 
 # No policy groups specified
 
 # No read paths specified
 
 # Not write paths specified
}

Comments
Global variables
Base abstractions

Syntax

Variables

@{var_name}
- @{var_name}=...
  - Variable assignment
- @{var_name}
  - Variable value

Defined internally

Preconfigured
- /etc/apparmor.d/tunables
Automatic
- @{profile_name}

Includes

Include filename

Or #include filename
CPP like

Filenames

include "/absolute_path"
include "relative_path"
include <magic_path>
- From /etc/apparmor.d by default

Existing includes

Abstractions

include <abstractions/...>
Minimum, harmless access to fundamental resources.

Variable definitions.

include <tunable/...>

Feature ABI

Application Binary Interface.

abi filename

Absolute, relative or magic.

The file contains the feature set used in the profile.

Currently <abi/3.0>
Already included in <abstractions/base>

This is used to adjust kernel features to the profiles' use of features.

Filename wildcards

/dir_path/*
- All files in the directory /dir_path
/dir_path/*/
- All directories in the directory /dir_path
/dir_path/**
- All files and directories under the directory /dir_path
/dir_path/**/
- All directories under the directory /dir_path

File permissions

r: read
w: write
a: append
- Cannot truncate
m: memory map
- Useful for shared libraries
l: link
- Add a name to an existing file
k: lock
- File access synchronization.

Last updated 1 year ago