It always succeeds because your R profile is in complain mode -- under the assumption that you're building profiles using the tools that will then create the profiles as necessary.
Remove the complain flag and re-run the tests and you'll see that only allowed profile changes actually succeed and the log entries will change from ALLOWED to DENIED. Since this one was allowed rather than not logged at all, it still isn't right; what does that string in the "target=" decode to? -----Original Message----- From: Jeroen Ooms <[email protected]> Sender: [email protected] Date: Thu, 26 Apr 2012 09:52:32 To: <[email protected]> Subject: [apparmor] debugging aa_change_profile I wrote a wrapper to aa_change_profile for R. I got it to work to the point where it returns 0 and when I call it a line appears in /var/log/kern.log like this: Apr 26 09:45:35 jeroen-ubuntu kernel: [51380.859505] type=1400 audit(1335458735.939:91): apparmor="ALLOWED" operation="change_profile" parent=25782 profile="/usr/bin/R" pid=25839 comm="R" target=303B9901 However, the permissions do not actually seem to change. I don't think it has actually applied a new profile. Also I noted that regardless of what profile name I pass as the argument, it always succeeds, even when there is no such profile. The contents of /etc/apparmor.d/usr.bin.r are pasted below. To test I am trying to switch to 'testprofile' and read /etc/passwd. #include <tunables/global> /usr/bin/R flags=(complain) { #include <abstractions/base> #include <abstractions/nameservice> capability kill, capability net_bind_service, capability setgid, capability setuid, capability sys_tty_config, / rw, /** mrwlkix, profile testprofile { #include <abstractions/base> #include <abstractions/nameservice> deny /boot/** rwx, deny /etc/passwd rwx, capability kill, capability net_bind_service, capability setgid, capability setuid, capability sys_tty_config, / rw, /** mrwlkix, } } -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
