On Thu, Sep 22, 2022 at 07:16:32PM -0400, Murali Selvaraj wrote: > -> How do we approach preparing an Apparmor profile for a shell script as > the first time I am doing this. > -> As our embedded device like legacy and many scripts internally invokes > few other scripts based on the different scenarios. > -> In such cases, do we have any suggestion to generate an Apparmor profile > for shell script or any example in our earlier forum queries (If possible, > please share here as I could not find it).
What will execute your shell script? is it already confined? How you start to write the profile depends upon how the script is executed. The easiest is to use complain mode and the interactive tools to get most of the way there. This can work great if the script is launched via a systemd service, or by a daemon that accepts on-demand commands to run it, etc. If it's run via sysv-init or other unusual process supervisor system it might be a challenge to get the execution environment close to production use. If it's run by a systemd service, something like the following might work: in one terminal: sudo aa-genprof /path/to/shell/script.sh in another terminal: sudo systemctl start servicename sudo systemctl stop servicename return to the first terminal and answer the questions. Then repeat the start process, interact with whatever service it provides a little bit, then stop it again, and then answer more genprof questions. Hopefully you can iterate to something that's pretty close to final quality this way. If your script isn't started via a 'clean' process supervisor like systemd, you may need to write a complain mode profile by hand, reboot, use aa-logprof to get questions / answers; and repeat via repeated reboots. I hope this helps. Thanks
signature.asc
Description: PGP signature
