about summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorSilvino <silvino@bk.ru>2019-08-03 01:14:06 +0100
committerSilvino <silvino@bk.ru>2019-08-03 01:14:06 +0100
commit3cce527807b5597108a8c8e34547f231f700d9f9 (patch)
tree6c99fb833668060b6bb6b8ba469511289ccac9bd
parent553e350e13c8e9abf0a9732476db1dd7843b09a2 (diff)
downloaddoc-3cce527807b5597108a8c8e34547f231f700d9f9.tar.gz
better apparmor utilities examples
-rw-r--r--core/apparmor.html116
1 files changed, 62 insertions, 54 deletions
diff --git a/core/apparmor.html b/core/apparmor.html
index ee8de54..8e057de 100644
--- a/core/apparmor.html
+++ b/core/apparmor.html
@@ -38,15 +38,15 @@
         # apparmor_status
         </pre>
 
-	<p>Utilities;</p>
+        <p>Utilities;</p>
 
-	<pre>
-	aa-audit           aa-disable         aa-genprof         aa-status
-	aa-autodep         aa-easyprof        aa-logprof         aa-unconfined
-	aa-cleanprof       aa-enabled         aa-mergeprof
-	aa-complain        aa-enforce         aa-notify
-	aa-decode          aa-exec            aa-remove-unknown
-	</pre>
+        <pre>
+        aa-audit           aa-disable         aa-genprof         aa-status
+        aa-autodep         aa-easyprof        aa-logprof         aa-unconfined
+        aa-cleanprof       aa-enabled         aa-mergeprof
+        aa-complain        aa-enforce         aa-notify
+        aa-decode          aa-exec            aa-remove-unknown
+        </pre>
 
         <h2 id="profiles">Profiles</h2>
 
@@ -64,48 +64,48 @@
         apparmor_parser;</p>
 
         <pre>
-	Usage: apparmor_parser [options] [profile]
-
-	Options:
-	--------
-	-a, --add               Add apparmor definitions [default]
-	-r, --replace           Replace apparmor definitions
-	-R, --remove            Remove apparmor definitions
-	-C, --Complain          Force the profile into complain mode
-	-B, --binary            Input is precompiled profile
-	-N, --names             Dump names of profiles in input.
-	-S, --stdout            Dump compiled profile to stdout
-	-o n, --ofile n         Write output to file n
-	-b n, --base n          Set base dir and cwd
-	-I n, --Include n       Add n to the search path
-	-f n, --subdomainfs n   Set location of apparmor filesystem
-	-m n, --match-string n  Use only features n
-	-M n, --features-file n Use only features in file n
-	-n n, --namespace n     Set Namespace for the profile
-	-X, --readimpliesX      Map profile read permissions to mr
-	-k, --show-cache        Report cache hit/miss details
-	-K, --skip-cache        Do not attempt to load or save cached profiles
-	-T, --skip-read-cache   Do not attempt to load cached profiles
-	-W, --write-cache       Save cached profile (force with -T)
-	    --skip-bad-cache    Don't clear cache if out of sync
-	    --purge-cache       Clear cache regardless of its state
-	    --debug-cache       Debug cache file checks
-	-L, --cache-loc n       Set the location of the profile cache
-	-q, --quiet             Don't emit warnings
-	-v, --verbose           Show profile names as they load
-	-Q, --skip-kernel-load  Do everything except loading into kernel
-	-V, --version           Display version info and exit
-	-d [n], --debug         Debug apparmor definitions OR [n]
-	-p, --preprocess        Dump preprocessed profile
-	-D [n], --dump          Dump internal info for debugging
-	-O [n], --Optimize      Control dfa optimizations
-	-h [cmd], --help[=cmd]  Display this text or info about cmd
-	-j n, --jobs n          Set the number of compile threads
-	--max-jobs n            Hard cap on --jobs. Default 8*cpus
-	--abort-on-error        Abort processing of profiles on first error
-	--skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel
-	--warn n                Enable warnings (see --help=warn)
-	</pre>
+        Usage: apparmor_parser [options] [profile]
+
+        Options:
+        --------
+        -a, --add               Add apparmor definitions [default]
+        -r, --replace           Replace apparmor definitions
+        -R, --remove            Remove apparmor definitions
+        -C, --Complain          Force the profile into complain mode
+        -B, --binary            Input is precompiled profile
+        -N, --names             Dump names of profiles in input.
+        -S, --stdout            Dump compiled profile to stdout
+        -o n, --ofile n         Write output to file n
+        -b n, --base n          Set base dir and cwd
+        -I n, --Include n       Add n to the search path
+        -f n, --subdomainfs n   Set location of apparmor filesystem
+        -m n, --match-string n  Use only features n
+        -M n, --features-file n Use only features in file n
+        -n n, --namespace n     Set Namespace for the profile
+        -X, --readimpliesX      Map profile read permissions to mr
+        -k, --show-cache        Report cache hit/miss details
+        -K, --skip-cache        Do not attempt to load or save cached profiles
+        -T, --skip-read-cache   Do not attempt to load cached profiles
+        -W, --write-cache       Save cached profile (force with -T)
+            --skip-bad-cache    Don't clear cache if out of sync
+            --purge-cache       Clear cache regardless of its state
+            --debug-cache       Debug cache file checks
+        -L, --cache-loc n       Set the location of the profile cache
+        -q, --quiet             Don't emit warnings
+        -v, --verbose           Show profile names as they load
+        -Q, --skip-kernel-load  Do everything except loading into kernel
+        -V, --version           Display version info and exit
+        -d [n], --debug         Debug apparmor definitions OR [n]
+        -p, --preprocess        Dump preprocessed profile
+        -D [n], --dump          Dump internal info for debugging
+        -O [n], --Optimize      Control dfa optimizations
+        -h [cmd], --help[=cmd]  Display this text or info about cmd
+        -j n, --jobs n          Set the number of compile threads
+        --max-jobs n            Hard cap on --jobs. Default 8*cpus
+        --abort-on-error        Abort processing of profiles on first error
+        --skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel
+        --warn n                Enable warnings (see --help=warn)
+        </pre>
 
         <h3 id="auto_profiles">Create profile with audit</h3>
 
@@ -123,13 +123,11 @@
         </pre>
 
         <p>Execute application with all common application options
-        and parts;</p>
-
-        <P>After initial automatic configuration enable profile in
+        and parts. After initial automatic configuration enable profile in
         complain mode. Use aa-logprof when rules need to be adapted.</p>
 
         <pre>
-        # aa-logprof
+        # aa-logprof -f /var/log/kernel
         </pre>
 
         <p>Once profile rules become well defined enable profile in
@@ -137,6 +135,16 @@
 
         <p>Monitor logs with aa-notify;</p>
 
+        <pre>
+        # aa-notify --file=/var/log/kernel -u username -l
+        </pre>
+
+        <p>And keep adjusting the rules with logprof;</p>
+
+        <pre>
+        # aa-logprof -f /var/log/kernel
+        </pre>
+
 
         <h3 id="man_profiles">Create profile manually</h3>