Skip to main content
Topic: Apparmor profile generation, aa-genprof (Read 669 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Apparmor profile generation, aa-genprof

Hi all. Installed apparmor and works as expected. But what i would wanna know as detailed as possible is how to generate a profile since programs are changing therefor apparmor profiles may need updates or rethinking.

Installed audit-runit, enabled from grub 'audit=1' but when tried aa-genprof /usr/bin/mpv it asks for a syslog file. Created that file but aa-genprof does not log anything in that sylog file so i can't create any rules for mpv as example.

Is apparmor so systemd dependent to the point we can't use aa-genprof or what's the trick?. Looked in extra-profiles but there's no mpv profile and all what i found looks obsolete.

Re: Apparmor profile generation, aa-genprof

Reply #1
Quote from: Surf3r – on
Hi all. Installed apparmor and works as expected. But what i would wanna know as detailed as possible is how to generate a profile since programs are changing therefor apparmor profiles may need updates or rethinking.

Installed audit-runit, enabled from grub 'audit=1' but when tried aa-genprof /usr/bin/mpv it asks for a syslog file. Created that file but aa-genprof does not log anything in that sylog file so i can't create any rules for mpv as example.

Is apparmor so systemd dependent to the point we can't use aa-genprof or what's the trick?. Looked in extra-profiles but there's no mpv profile and all what i found looks obsolete.


I took a look at apparmor source code, and found this:
Code: [Select]
./profiles/apparmor.d/abstractions/base:  @{run}/systemd/journal/dev-log w,

My guess is that apparmor calls systemd specific commands for syslog.
 

Re: Apparmor profile generation, aa-genprof

Reply #2
Tnx so it might mean generating a profile can be much more challenging than on soystemd distros