Thanks John/Seth for the explanation. We have observed few configuration files are present in /tmp which are needed for certain processes. For example, few of the files are hidden files located in /tmp/.
In that case, shall we add below entry /tmp/** rw, or Do we need to add entries for file specific as below /tmp/file.txt r, /tmp/.init_complete rw, Which would be the best way for security concern as well as embedded devices ? Please advise. Thanks Murali.S On Mon, Apr 5, 2021 at 1:09 AM Murali Selvaraj <[email protected]> wrote: > > Hi John/Seth, > > Thanks John/Seth for your detailed information. > > Can you please clarify the below queries. > > Query 1: > > -> From the aa-log-prof, we are able to generate an apparmor profile > for the required process. In order to confirm the profile(by > theoretically) > if we compare cat /proc/<pid>/maps | grep -i lib this output will > it be sufficient or any possibility of the libraries may > not be in this entry cat /proc/<pid>/maps? > > -> Like a library, do we have any other way to find the list of > configuration, temporary files using by process can be identified > by simple tools or from any /proc entries like above? This is just > to confirm about our profile. > > Query 2: > > -> For example, one of my process is running in "non-root" owner which > has read/write access to /proc/<test>/<test_2>/ > While generate profile for this process, Do I need to add this > entry /proc/<test>/<test_2>/* rw, Or without adding this entry > will it able to do read/write operation /proc/<test>/<test_2>/? > > Query 3: > > Can you please explain the difference for the below entries in the > apparmor profile? > > /tmp/lock_file rw, > /tmp/lock_file rwc, > > /tmp/test.css ww, > /tmp/test.css w > > /tmp/initialized rww, > /tmp/initialized rw, > > /tmp/driver krw, > /tmp/driver rw, > > > Query 4: > > By default, while device boots apparmor profiles are loaded to Kernel > and the corresponding process read from the profile during the process > execution, > -> As per our code, the process kills/crashes by unknown reason; we > have a mechanism to restart by itself. > In that case, during the process restart, will it start as per > profile or without profile? > > > Query 5: > > I would like to understand the reason for below DENIED logs, what does > it really expect? > Do I need to add the entry like /tmp/test c or /tmp/test rw or > /tmp/test rwk? Pls share the difference for each mentioned > possibility? > > 2021 Apr 04 17:35:05 admin kernel: audit: type=1400 > audit(1617557705.711:207): apparmor="DENIED" operation="mknod" > profile="example" name="/tmp/test" pid=11410 comm="application" > requested_mask="c" denied_mask="c" fsuid=0 ouid=0 > > What is really this log expecting? > > Thanks > Murali.S -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
