From 3cce527807b5597108a8c8e34547f231f700d9f9 Mon Sep 17 00:00:00 2001
From: Silvino Utilities; Utilities;
- aa-audit aa-disable aa-genprof aa-status
- aa-autodep aa-easyprof aa-logprof aa-unconfined
- aa-cleanprof aa-enabled aa-mergeprof
- aa-complain aa-enforce aa-notify
- aa-decode aa-exec aa-remove-unknown
-
+
+ aa-audit aa-disable aa-genprof aa-status
+ aa-autodep aa-easyprof aa-logprof aa-unconfined
+ aa-cleanprof aa-enabled aa-mergeprof
+ aa-complain aa-enforce aa-notify
+ aa-decode aa-exec aa-remove-unknown
+
Profiles
@@ -64,48 +64,48 @@
apparmor_parser;
- Usage: apparmor_parser [options] [profile] - - Options: - -------- - -a, --add Add apparmor definitions [default] - -r, --replace Replace apparmor definitions - -R, --remove Remove apparmor definitions - -C, --Complain Force the profile into complain mode - -B, --binary Input is precompiled profile - -N, --names Dump names of profiles in input. - -S, --stdout Dump compiled profile to stdout - -o n, --ofile n Write output to file n - -b n, --base n Set base dir and cwd - -I n, --Include n Add n to the search path - -f n, --subdomainfs n Set location of apparmor filesystem - -m n, --match-string n Use only features n - -M n, --features-file n Use only features in file n - -n n, --namespace n Set Namespace for the profile - -X, --readimpliesX Map profile read permissions to mr - -k, --show-cache Report cache hit/miss details - -K, --skip-cache Do not attempt to load or save cached profiles - -T, --skip-read-cache Do not attempt to load cached profiles - -W, --write-cache Save cached profile (force with -T) - --skip-bad-cache Don't clear cache if out of sync - --purge-cache Clear cache regardless of its state - --debug-cache Debug cache file checks - -L, --cache-loc n Set the location of the profile cache - -q, --quiet Don't emit warnings - -v, --verbose Show profile names as they load - -Q, --skip-kernel-load Do everything except loading into kernel - -V, --version Display version info and exit - -d [n], --debug Debug apparmor definitions OR [n] - -p, --preprocess Dump preprocessed profile - -D [n], --dump Dump internal info for debugging - -O [n], --Optimize Control dfa optimizations - -h [cmd], --help[=cmd] Display this text or info about cmd - -j n, --jobs n Set the number of compile threads - --max-jobs n Hard cap on --jobs. Default 8*cpus - --abort-on-error Abort processing of profiles on first error - --skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel - --warn n Enable warnings (see --help=warn) -+ Usage: apparmor_parser [options] [profile] + + Options: + -------- + -a, --add Add apparmor definitions [default] + -r, --replace Replace apparmor definitions + -R, --remove Remove apparmor definitions + -C, --Complain Force the profile into complain mode + -B, --binary Input is precompiled profile + -N, --names Dump names of profiles in input. + -S, --stdout Dump compiled profile to stdout + -o n, --ofile n Write output to file n + -b n, --base n Set base dir and cwd + -I n, --Include n Add n to the search path + -f n, --subdomainfs n Set location of apparmor filesystem + -m n, --match-string n Use only features n + -M n, --features-file n Use only features in file n + -n n, --namespace n Set Namespace for the profile + -X, --readimpliesX Map profile read permissions to mr + -k, --show-cache Report cache hit/miss details + -K, --skip-cache Do not attempt to load or save cached profiles + -T, --skip-read-cache Do not attempt to load cached profiles + -W, --write-cache Save cached profile (force with -T) + --skip-bad-cache Don't clear cache if out of sync + --purge-cache Clear cache regardless of its state + --debug-cache Debug cache file checks + -L, --cache-loc n Set the location of the profile cache + -q, --quiet Don't emit warnings + -v, --verbose Show profile names as they load + -Q, --skip-kernel-load Do everything except loading into kernel + -V, --version Display version info and exit + -d [n], --debug Debug apparmor definitions OR [n] + -p, --preprocess Dump preprocessed profile + -D [n], --dump Dump internal info for debugging + -O [n], --Optimize Control dfa optimizations + -h [cmd], --help[=cmd] Display this text or info about cmd + -j n, --jobs n Set the number of compile threads + --max-jobs n Hard cap on --jobs. Default 8*cpus + --abort-on-error Abort processing of profiles on first error + --skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel + --warn n Enable warnings (see --help=warn) +
Execute application with all common application options - and parts;
- -After initial automatic configuration enable profile in + and parts. After initial automatic configuration enable profile in complain mode. Use aa-logprof when rules need to be adapted.
- # aa-logprof + # aa-logprof -f /var/log/kernel
Once profile rules become well defined enable profile in @@ -137,6 +135,16 @@
Monitor logs with aa-notify;
++ # aa-notify --file=/var/log/kernel -u username -l ++ +
And keep adjusting the rules with logprof;
+ ++ # aa-logprof -f /var/log/kernel ++