====== Ubuntu - AppArmor - Create an AppArmor Profile ======
===== Design a test plan =====
Try to think about how the application should be exercised. The test plan should be divided into small test cases. Each test case should have a small description and list the steps to follow.
Some standard test cases are:
* Starting the program.
* Stopping the program.
* Reloading the program.
* Testing all the commands supported by the init script.
----
===== Generate the new profile =====
Use **aa-genprof** to generate a new profile.
sudo aa-genprof executable
For example:
sudo aa-genprof slapd
To get your new profile included in the **apparmor-profiles** package, file a bug in Launchpad against the [[https://bugs.launchpad.net/ubuntu/+source/apparmor/+filebug|AppArmor]] package:
* Include your test plan and test cases.
* Attach your new profile to the bug.
----
===== Profiles =====
AppArmor profiles are simple text files located in **/etc/apparmor.d/**. The files are named after the full path to the executable they profile replacing the "/" with ".". For example /etc/apparmor.d/bin.ping is the AppArmor profile for the /bin/ping command.
There are two main type of rules used in profiles:
* **Path entries**: which detail which files an application can access in the file system.
* **Capability entries**: determine what privileges a confined process is allowed to use.
As an example take a look at /etc/apparmor.d/bin.ping:
#include
/bin/ping flags=(complain) {
#include
#include
#include
capability net_raw,
capability setuid,
network inet raw,
/bin/ping mixr,
/etc/modules.conf r,
}
* #include : include statements from other files. This allows statements pertaining to multiple applications to be placed in a common file.
* /bin/ping flags=(complain): path to the profiled program, also setting the mode to complain.
* capability net_raw,: allows the application access to the CAP_NET_RAW Posix.1e capability.
* /bin/ping mixr,: allows the application read and execute access to the file.