На арче поставил apparmor(пакет и добавил параметр ведра), запустил
sudo aa-genprof firefoxcd /etc/apparmor.d
apparmor_parser -R usr.bin.firefox
rm usr.bin.firefox
Profiling: /usr/bin/firefox
Please start the application to be profiled in
another window and exercise its functionality now.
Once completed, select the "Scan" option below in
order to scan the system logs for AppArmor events.
For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.
[(S)can system log for AppArmor events] / (F)inish
Reading log entries from /var/log/audit/audit.log.
Updating AppArmor profiles in /etc/apparmor.d.
Profiling: /usr/bin/firefox
Please start the application to be profiled in
another window and exercise its functionality now.
Once completed, select the "Scan" option below in
order to scan the system logs for AppArmor events.
For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.
[(S)can system log for AppArmor events] / (F)inish
Конфиг он конечно создаёт, но бесполезный:
> cat usr.bin.firefox
# Last Modified: Sun Oct 28 19:24:43 2018
#include <tunables/global>
/usr/bin/firefox {
#include <abstractions/base>
#include <abstractions/bash>
/usr/bin/bash ix,
/usr/bin/firefox r,
}
Вывод apparmor_status после удаления созданного конфига:
apparmor module is loaded.
46 profiles are loaded.
46 profiles are in enforce mode.
/usr/lib/apache2/mpm-prefork/apache2
/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
/usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
/usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
/usr/lib/dovecot/anvil
/usr/lib/dovecot/auth
/usr/lib/dovecot/config
/usr/lib/dovecot/deliver
/usr/lib/dovecot/dict
/usr/lib/dovecot/dovecot-auth
/usr/lib/dovecot/dovecot-lda
/usr/lib/dovecot/dovecot-lda///usr/{bin,sbin}/sendmail
/usr/lib/dovecot/imap
/usr/lib/dovecot/imap-login
/usr/lib/dovecot/lmtp
/usr/lib/dovecot/log
/usr/lib/dovecot/managesieve
/usr/lib/dovecot/managesieve-login
/usr/lib/dovecot/pop3
/usr/lib/dovecot/pop3-login
/usr/lib/dovecot/ssl-params
/usr/lib/dovecot/stats
/usr/{bin,sbin}/apache2
/usr/{bin,sbin}/apache2//DEFAULT_URI
/usr/{bin,sbin}/apache2//HANDLING_UNTRUSTED_INPUT
/usr/{bin,sbin}/apache2//phpsysinfo
/usr/{bin,sbin}/avahi-daemon
/usr/{bin,sbin}/dovecot
/usr/{bin,sbin}/identd
/usr/{bin,sbin}/mdnsd
/usr/{bin,sbin}/nmbd
/usr/{bin,sbin}/nscd
/usr/{bin,sbin}/smbd
/usr/{bin,sbin}/smbldap-useradd
/usr/{bin,sbin}/smbldap-useradd///etc/init.d/nscd
/usr/{bin,sbin}/winbindd
/usr/{bin,sbin}/{,open}ntpd
dnsmasq
dnsmasq//libvirt_leaseshelper
klogd
nvidia_modprobe
nvidia_modprobe//kmod
ping
syslog-ng
syslogd
traceroute
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
При этом если в конфиге для ping'а запретить сеть, всё работает, как ожидается
ping: socket: Operation not permitted
но в audit лог(/var/log/audit/audit.log) ничего не пишет(хз, должен ли, но вроде должен). При запуске aa-genprof и firefox в audit.log ничего не появляется.
