Support for user policy has not landed in apparmor yet; it is still under development.
At this moment you are unfortunately stuck with using the current pam_apparmor which can be used to confine a given user with custom system profiles, but is more difficult to use that it should be. https://gitlab.com/apparmor/apparmor/-/wikis/pam_apparmor As for user defined policy in ~/ The loading of user policy from the apparmor dir in ~/ will require a few things to be setup in addition to the user providing profiles in the ~/ apparmor dir (notice I didn't specify the name as its actual name is not finalized and could be .config/apparmor.d/ or something similar). In addition to the policy bits, a new version of pam_apparmor will be required that will do the actual setup of the user policy namepace and loading of the users policy. The pam_apparmor config will also have to be setup to enable particular users to load policy. A new kernel be required and will have to be configured and systctls set to allow users loading of policy (this is a safe guard to disable it in one place if a vulnerability is discovered). Before user defined policy lands, system policy that can be attached based on the userid/name will land, making it easier for system policy to be unique to given users. This might be sufficient for your needs. On 1/8/22 9:51 AM, John Beattie wrote: > Hi, > > Thanks for apparmor, it is very useful. > > I get two behaviours which encourage me to try to make a specialised profile > for > open office, first that I get ALLOWED warnings in logwatch and second, open > office doesn't start properly. I think that the splash window doesn't finish > properly. This isn't a blocker. If I switch to the document window, > everything > is fine. > > I have a slightly customised version of usr.lib.libreoffice.program.oosplash > and > usr.lib.libreoffice.program.soffice.bin which I have placed at ~/.apparmor.d/. > They do work, if I load them with apparmor_parser. They work in the sense > that > neither of the above behaviours is seen. > > After a reboot, I saw that apparmor wasn't using my profiles, so I thought of > clearing the apparmor cache, so I ran these commands > > # aa-teardown > # service apparmor stop > # rm /var/cache/apparmor.d/nnnnn/* # nnnn names the actual cache, I guess > # service apparmor start > > > However, my user profile was still not used for open office, I get the ALLOWED > warnings in kern.log. > > My usecase is that I would like a specialised version of a system profile to > be > used for open office when open office is used by me. > > I've looked in the wiki but so far all I have found is the policy layout page > > https://gitlab.com/apparmor/apparmor/-/wikis/Policy_Layout > > and it tells me that ${APPARMOR.D} is used to refer both to the directory in ~ > and the one in /etc but without distinguishing them. > > Please would someone point me at the documentation which describes the loading > sequence relevant to my usecase? > > > Many thanks, > John Beattie > -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
