On 11/15/23 06:24, David Pilnik wrote:
Hi,
I’m doing some research to see if apparmor match some use cases of some
processes.
And after running with complain mode, I see in aa-status the prints below which
contain “/null-/”, is this some kind of error?
it is not. Though currently it is not as flexible as we would like it to be.
I didn’t manage to find some documentation about it, can you help?
surprisingly, for something that has been around for as long as I can remember
(aka it predates me), there is minimal documentation, so I have started
https://gitlab.com/apparmor/apparmor/-/wikis/Complain-Mode
it is very much a wip, feel free to ask for clarifications, it will help guide
where the document needs improvement.
in addition there are some existing links, that at least make a mention of it
in passing.
https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorProfileSpec#special-prefixes
https://gitlab.com/apparmor/apparmor/-/wikis/Kernel_Feature_Matrix
https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.4
https://gitlab.com/apparmor/apparmor/-/wikis/manpage_aa-remove-unknown.8
https://gitlab.com/apparmor/apparmor/-/wikis/manpage_aa-logprof.8
aa-status example:
22 profiles are in complain mode.
/usr/bin/<my process> //null-/usr/bin/basename
/usr/bin//<my process> //null-/usr/bin/dash
/usr/bin//<my process> //null-/usr/bin/dash//null-/usr/bin/sed
/usr/bin//<my process> //null-/usr/bin/mv
Thanks
David
