If it is helpful, here is some instructions to reproduce the problem. I am using Ubuntu 11.10.
# one time install: sudo apt-get install r-base libapparmor-dev wget http://www.stat.ucla.edu/~jeroen/files/rApparmor_0.1.tar.gz sudo R CMD INSTALL rApparmor_0.1.tar.gz # start R: R # enter these commands in the R console: library(rApparmor) aa_change_profile("testprofile") On Thu, Apr 26, 2012 at 10:32 AM, John Johansen <[email protected]> wrote: > On 04/26/2012 09:52 AM, Jeroen Ooms wrote: >> I wrote a wrapper to aa_change_profile for R. I got it to work to the >> point where it returns 0 and when I call it a line appears in >> /var/log/kern.log like this: >> >> Apr 26 09:45:35 jeroen-ubuntu kernel: [51380.859505] type=1400 >> audit(1335458735.939:91): apparmor="ALLOWED" >> operation="change_profile" parent=25782 profile="/usr/bin/R" pid=25839 >> comm="R" target=303B9901 >> > oh that looks like a bug :( > > I used aa-decode on target=303B9901 > and got back > Decoded: 0;� > >> However, the permissions do not actually seem to change. I don't think >> it has actually applied a new profile. Also I noted that regardless of >> what profile name I pass as the argument, it always succeeds, even >> when there is no such profile. >> > as seth said complain mode always succeeds, and audit/complain about things > that would not normally be allowed > > I can test what profile a task is currently confined by, by looking in > /proc/<pid>/attr/current > > where <pid> is the pid of the task you want to introspect > > If you are using apparmor 2.7/2.8 you can use the libapparmor routines > aa_getcon or aa_gettaskcon to do the introspection > > however if your profile is in enforcing it will need to list permission > to the interface > > apparmor 2.8 also has the aa-exec utility that allows to use/play with > change_profile and change_onexec from the command line > >> The contents of /etc/apparmor.d/usr.bin.r are pasted below. To test I >> am trying to switch to 'testprofile' and read /etc/passwd. >> >> >> #include <tunables/global> >> >> /usr/bin/R flags=(complain) { >> #include <abstractions/base> >> #include <abstractions/nameservice> >> >> capability kill, >> capability net_bind_service, >> capability setgid, >> capability setuid, >> capability sys_tty_config, >> >> / rw, >> /** mrwlkix, >> >> profile testprofile { >> >> #include <abstractions/base> >> #include <abstractions/nameservice> >> >> deny /boot/** rwx, >> deny /etc/passwd rwx, >> >> capability kill, >> capability net_bind_service, >> capability setgid, >> capability setuid, >> capability sys_tty_config, >> >> / rw, >> /** mrwlkix, >> } >> } >> > -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
