Hi,
We have successfully confined init according to documentation on this page: https://gitlab.com/apparmor/apparmor/wikis/FullSystemPolicy, and verified that it is working with the help of ps -auxZ. Currently, we are trying to confine system daemons/services. But sometimes the confinement doesn't work. For example, daemon colord-sane has the following profile: profile init-systemd /lib/systemd/** flags=(complain) { ... /usr/bin/colord/** cx -> colord_profile, profile colord_profile flags=(complain) { ... ... } ... } However the dmesg audit logs show the profile name for colord-sane as: 'init-systemd//colord_profile//null-/usr/lib/colord/colord-sane' (sample logs are attached for reference). We don't understand where the suffix 'null-/usr/lib/colord/colord-sane' originates from, since we have specified an explicit 'cx' transition for all files within /usr/bin/colord/. Due to this problem, we are unable to confine colord and a bunch of other processes. Kindly let us know if there's any reason for this. Thank you.
[ 1.911516] audit: type=1400 audit(1566287375.384:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="init-systemd" pid=350 comm="apparmor_parser" [ 1.912198] audit: type=1400 audit(1566287375.384:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="init-systemd//colord_profile" pid=350 comm="apparmor_parser" [ 16.270745] audit: type=1400 audit(1566287389.756:44576): apparmor="ALLOWED" operation="open" profile="init-systemd//colord_profile//null-/usr/lib/colord/colord-sane" name="/usr/lib/x86_64-linux-gnu/sane/libsane-epjitsu.so.1.0.27" pid=2249 comm="colord-sane" requested_mask="r" denied_mask="r" fsuid=117 ouid=0 [ 16.270751] audit: type=1400 audit(1566287389.756:44577): apparmor="ALLOWED" operation="open" profile="init-systemd//colord_profile//null-/usr/lib/colord/colord-sane" name="/usr/lib/x86_64-linux-gnu/sane/libsane-epjitsu.so.1.0.27" pid=2249 comm="colord-sane" requested_mask="r" denied_mask="r" fsuid=117 ouid=0 [ 16.272755] audit: type=1400 audit(1566287389.756:44578): apparmor="ALLOWED" operation="file_mmap" profile="init-systemd//colord_profile//null-/usr/lib/colord/colord-sane" name="/usr/lib/x86_64-linux-gnu/sane/libsane-epjitsu.so.1.0.27" pid=2249 comm="colord-sane" requested_mask="rm" denied_mask="rm" fsuid=117 ouid=0 [ 16.282399] audit: type=1400 audit(1566287389.764:44579): apparmor="ALLOWED" operation="open" profile="init-systemd//colord_profile//null-/usr/lib/colord/colord-sane" name="/dev/bus/usb/" pid=2249 comm="colord-sane" requested_mask="r" denied_mask="r" fsuid=117 ouid=0 [ 16.282448] audit: type=1400 audit(1566287389.764:44580): apparmor="ALLOWED" operation="open" profile="init-systemd//colord_profile//null-/usr/lib/colord/colord-sane" name="/sys/bus/" pid=2249 comm="colord-sane" requested_mask="r" denied_mask="r" fsuid=117 ouid=0 [ 16.282495] audit: type=1400 audit(1566287389.764:44581): apparmor="ALLOWED" operation="open" profile="init-systemd//colord_profile//null-/usr/lib/colord/colord-sane" name="/sys/bus/usb/devices/" pid=2249 comm="colord-sane" requested_mask="r" denied_mask="r" fsuid=117 ouid=0 [ 16.282589] audit: type=1400 audit(1566287389.764:44582): apparmor="ALLOWED" operation="open" profile="init-systemd//colord_profile//null-/usr/lib/colord/colord-sane" name="/sys/devices/pci0000:00/0000:00:06.0/usb2/2-1/uevent" pid=2249 comm="colord-sane" requested_mask="r" denied_mask="r" fsuid=117 ouid=0 [ 16.282650] audit: type=1400 audit(1566287389.764:44583): apparmor="ALLOWED" operation="open" profile="init-systemd//colord_profile//null-/usr/lib/colord/colord-sane" name="/run/udev/data/c189:129" pid=2249 comm="colord-sane" requested_mask="r" denied_mask="r" fsuid=117 ouid=0 [ 16.282761] audit: type=1400 audit(1566287389.764:44584): apparmor="ALLOWED" operation="open" profile="init-systemd//colord_profile//null-/usr/lib/colord/colord-sane" name="/sys/devices/pci0000:00/0000:00:0b.0/usb1/uevent" pid=2249 comm="colord-sane" requested_mask="r" denied_mask="r" fsuid=117 ouid=0 [ 16.282800] audit: type=1400 audit(1566287389.764:44585): apparmor="ALLOWED" operation="open" profile="init-systemd//colord_profile//null-/usr/lib/colord/colord-sane" name="/run/udev/data/c189:0" pid=2249 comm="colord-sane" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
