Ubuntu - AppArmor - Create an AppArmor Profile

Try to think about how the application should be exercised. The test plan should be divided into small test cases. Each test case should have a small description and list the steps to follow.

Some standard test cases are:

• Starting the program.
• Stopping the program.
• Reloading the program.
• Testing all the commands supported by the init script.

Use aa-genprof to generate a new profile.

sudo aa-genprof executable

For example:

sudo aa-genprof slapd

To get your new profile included in the apparmor-profiles package, file a bug in Launchpad against the AppArmor package:

• Include your test plan and test cases.
• Attach your new profile to the bug.

AppArmor profiles are simple text files located in /etc/apparmor.d/. The files are named after the full path to the executable they profile replacing the “/” with “.”. For example /etc/apparmor.d/bin.ping is the AppArmor profile for the /bin/ping command.

There are two main type of rules used in profiles:

• Path entries: which detail which files an application can access in the file system.
• Capability entries: determine what privileges a confined process is allowed to use.

As an example take a look at /etc/apparmor.d/bin.ping:

/etc/apparmor.d/bin.ping

#include <tunables/global>
/bin/ping flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>
 
  capability net_raw,
  capability setuid,
  network inet raw,
 
  /bin/ping mixr,
  /etc/modules.conf r,
}

• #include <tunables/global>: include statements from other files. This allows statements pertaining to multiple applications to be placed in a common file.

• /bin/ping flags=(complain): path to the profiled program, also setting the mode to complain.

• capability net_raw,: allows the application access to the CAP_NET_RAW Posix.1e capability.

• /bin/ping mixr,: allows the application read and execute access to the file.