Thanks Seth On Thu, Sep 22, 2022, 8:21 PM Seth Arnold <[email protected]> wrote:
> On Thu, Sep 22, 2022 at 07:16:32PM -0400, Murali Selvaraj wrote: > > -> How do we approach preparing an Apparmor profile for a shell script as > > the first time I am doing this. > > -> As our embedded device like legacy and many scripts internally invokes > > few other scripts based on the different scenarios. > > -> In such cases, do we have any suggestion to generate an Apparmor > profile > > for shell script or any example in our earlier forum queries (If > possible, > > please share here as I could not find it). > > What will execute your shell script? is it already confined? How you start > to write the profile depends upon how the script is executed. > > The easiest is to use complain mode and the interactive tools to get most > of the way there. This can work great if the script is launched via a > systemd service, or by a daemon that accepts on-demand commands to run > it, etc. If it's run via sysv-init or other unusual process supervisor > system it might be a challenge to get the execution environment close > to production use. > > If it's run by a systemd service, something like the following might work: > > in one terminal: > sudo aa-genprof /path/to/shell/script.sh > > in another terminal: > sudo systemctl start servicename > sudo systemctl stop servicename > > return to the first terminal and answer the questions. > > Then repeat the start process, interact with whatever service it provides > a little bit, then stop it again, and then answer more genprof questions. > > Hopefully you can iterate to something that's pretty close to final > quality this way. > > If your script isn't started via a 'clean' process supervisor like > systemd, you may need to write a complain mode profile by hand, reboot, > use aa-logprof to get questions / answers; and repeat via repeated > reboots. > > I hope this helps. > > Thanks >
