# AppArmor

## Superfox_il_Volpone

Hello,

I am new to AppArmor, but would like to give a try.

So I updated the kernel & set AppArmor as default MAC. The I emerged  "sys-apps/apparmor". So far so good.

I see that the other packages are masked though. Where do I find the reason for being blacklisted?

sec-policy/apparmor-profiles

sys-apps/apparmor-utils

sys-libs/libapparmor

Anyway I unlocked the packages to install apparmor-utils to follow this article http://www.la-samhna.de/library/apparmor.html. However I am already stuck at step 1:

```

[root@sebastian] /usr/local/bin: aa-genprof git-crypt 

Can't include file abstractions/authentication: No such file or directory at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 6222.

   Immunix::AppArmor::get_include_data('abstractions/authentication') called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 6237

   Immunix::AppArmor::loadinclude('abstractions/authentication') called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 5343

   eval {...} called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 5343

   Immunix::AppArmor::parse_profile_data('# vim:syntax=apparmor\x{a}# Profile for restricting lightdm guest...', 'abstractions/lightdm', 1) called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 6238

   Immunix::AppArmor::loadinclude('abstractions/lightdm') called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 5343

   eval {...} called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 5343

   Immunix::AppArmor::parse_profile_data('# vim:syntax=apparmor\x{a}# Profile abstraction for restricting c...', 'abstractions/lightdm_chromium-browser', 1) called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 6238

   Immunix::AppArmor::loadinclude('abstractions/lightdm_chromium-browser') called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 6386

   eval {...} called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 6386

   Immunix::AppArmor::loadincludes() called at /usr/sbin/aa-genprof line 117

```

The error simply says that the given file does not exist, and it is  right. I think that my profile is messed up:

```

[root@sebastian] /etc/apparmor.d: ll

total 8

drwxr-xr-x 2 root root 4096 Nov  6 23:32 abstractions

-rw-r--r-- 1 root root  369 Sep 14 23:40 lightdm-guest-session

[root@sebastian] /etc/apparmor.d: ll abstractions/

total 8

-rw-r--r-- 1 root root 2167 Sep 14 23:40 lightdm

-rw-r--r-- 1 root root 1495 Sep 14 23:40 lightdm_chromium-browser

```

lightdm is trying to include other profiles I have not:

```

[root@sebastian] /etc/apparmor.d/abstractions: cat lightdm

# vim:syntax=apparmor

# Profile for restricting lightdm guest session

# Author: Martin Pitt <martin.pitt@ubuntu.com>

# This abstraction provides the majority of the confinement for guest sessions.

# It is in its own abstraction so we can have a centralized place for

# confinement for the various lightdm sessions (guest, freerdp, uccsconfigure,

# etc). Note that this profile intentionally omits chromium-browser.

  #include <abstractions/authentication>

  #include <abstractions/cups-client>

  #include <abstractions/dbus>

  #include <abstractions/dbus-session>

  #include <abstractions/dbus-accessibility>

  #include <abstractions/nameservice>

  #include <abstractions/wutmp>

  /etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678

  / r,

  /bin/ rmix,

  /bin/fusermount Px,

  /bin/** rmix,

  /cdrom/ rmix,

  /cdrom/** rmix,

  /dev/ r,

  /dev/** rmw, # audio devices etc.

  owner /dev/shm/** rmw,

  /etc/ r,

  /etc/** rmk,

  /etc/gdm/Xsession ix,

  /lib/ r,

  /lib/** rmixk,

  /lib32/ r,

  /lib32/** rmixk,

  /lib64/ r,

  /lib64/** rmixk,

  owner /media/ r,

  owner /media/** rmwlixk,  # we want access to USB sticks and the like

  /opt/ r,

  /opt/** rmixk,

  @{PROC}/ r,

  @{PROC}/* rm,

  @{PROC}/asound rm,

  @{PROC}/asound/** rm,

  @{PROC}/ati rm,

  @{PROC}/ati/** rm,

  owner @{PROC}/** rm,

  # needed for gnome-keyring-daemon

  @{PROC}/*/status r,

  /sbin/ r,

  /sbin/** rmixk,

  /sys/ r,

  /sys/** rm,

  # needed for confined trusted helpers, such as dbus-daemon

  /sys/kernel/security/apparmor/.access rw,

  /tmp/ rw,

  owner /tmp/** rwlkmix,

  /usr/ r,

  /usr/** rmixk,

  /var/ r,

  /var/** rmixk,

  /var/guest-data/** rw, # allow to store files permanently

  /var/tmp/ rw,

  owner /var/tmp/** rwlkm,

  /{,var/}run/ r,

  # necessary for writing to sockets, etc.

  /{,var/}run/** rmkix,

  /{,var/}run/shm/** wl,

  # libpam-xdg-support/logind

  owner /{,var/}run/user/*/** rw,

  capability ipc_lock,

  # silence warnings for stuff that we really don't want to grant

  deny capability dac_override,

  deny capability dac_read_search,

  #deny /etc/** w, # re-enable once LP#697678 is fixed

  deny /usr/** w,

  deny /var/crash/ w,

```

```

```

Any idea on how to proceed?

Thanks,

S.Fox

----------

## kensington

AppArmor is not masked because there's anything wrong with it - rather it's just still in testing (~arch).

It looks like the missing files are provided by sec-policy/apparmor-profiles.

----------

## Superfox_il_Volpone

Hello,

thanks for your reply. I went forward, but it is still trying to import files which I have not

```

[root@sebastian] /usr/local/bin: aa-genprof git-crypt 

Can't include file abstractions/dbus-accessibility: No such file or directory at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 6222.

   Immunix::AppArmor::get_include_data('abstractions/dbus-accessibility') called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 6237

   Immunix::AppArmor::loadinclude('abstractions/dbus-accessibility') called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 5343

   eval {...} called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 5343

   Immunix::AppArmor::parse_profile_data('# vim:syntax=apparmor\x{a}# Profile for restricting lightdm guest...', 'abstractions/lightdm', 1) called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 6238

   Immunix::AppArmor::loadinclude('abstractions/lightdm') called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 5343

   eval {...} called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 5343

   Immunix::AppArmor::parse_profile_data('# vim:syntax=apparmor\x{a}# Profile abstraction for restricting c...', 'abstractions/lightdm_chromium-browser', 1) called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 6238

   Immunix::AppArmor::loadinclude('abstractions/lightdm_chromium-browser') called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 6386

   eval {...} called at /usr/lib64/perl5/vendor_perl/5.18.2/Immunix/AppArmor.pm line 6386

   Immunix::AppArmor::loadincludes() called at /usr/sbin/aa-genprof line 117

```

available profiles:

```

[root@sebastian] ~: ll /etc/apparmor.d/abstractions/

total 272

-rw-r--r-- 1 root root  435 Nov 13 17:29 apache2-common

-rw-r--r-- 1 root root  259 Nov 13 17:29 aspell

-rw-r--r-- 1 root root 1555 Nov 13 17:29 audio

-rw-r--r-- 1 root root 1544 Nov 13 17:29 authentication

-rw-r--r-- 1 root root 4719 Nov 13 17:29 base

-rw-r--r-- 1 root root 1512 Nov 13 17:29 bash

-rw-r--r-- 1 root root  798 Nov 13 17:29 consoles

-rw-r--r-- 1 root root  713 Nov 13 17:29 cups-client

-rw-r--r-- 1 root root  507 Nov 13 17:29 dbus

-rw-r--r-- 1 root root  512 Nov 13 17:29 dbus-session

-rw-r--r-- 1 root root  227 Nov 13 17:29 dconf

-rw-r--r-- 1 root root 2007 Nov 13 17:29 enchant

-rw-r--r-- 1 root root 1819 Nov 13 17:29 fonts

-rw-r--r-- 1 root root 1636 Nov 13 17:29 freedesktop.org

-rw-r--r-- 1 root root 2721 Nov 13 17:29 gnome

-rw-r--r-- 1 root root  278 Nov 13 17:29 gnupg

-rw-r--r-- 1 root root  548 Nov 13 17:29 ibus

-rw-r--r-- 1 root root 2019 Nov 13 17:29 kde

-rw-r--r-- 1 root root 1103 Nov 13 17:29 kerberosclient

-rw-r--r-- 1 root root  824 Nov 13 17:29 launchpad-integration

-rw-r--r-- 1 root root  686 Nov 13 17:29 ldapclient

-rw-r--r-- 1 root root 2167 Sep 14 23:40 lightdm

-rw-r--r-- 1 root root 1495 Sep 14 23:40 lightdm_chromium-browser

-rw-r--r-- 1 root root  489 Nov 13 17:29 likewise

-rw-r--r-- 1 root root  436 Nov 13 17:29 mdns

-rw-r--r-- 1 root root  641 Nov 13 17:29 mysql

-rw-r--r-- 1 root root 2668 Nov 13 17:29 nameservice

-rw-r--r-- 1 root root  524 Nov 13 17:29 nis

-rw-r--r-- 1 root root  425 Nov 13 17:29 nvidia

-rw-r--r-- 1 root root  470 Nov 13 17:29 openssl

-rw-r--r-- 1 root root   93 Nov 13 17:29 orbit2

-rw-r--r-- 1 root root  814 Nov 13 17:29 p11-kit

-rw-r--r-- 1 root root  860 Nov 13 17:29 perl

-rw-r--r-- 1 root root  928 Nov 13 17:29 php5

-rw-r--r-- 1 root root 1303 Nov 13 17:29 private-files

-rw-r--r-- 1 root root  746 Nov 13 17:29 private-files-strict

-rw-r--r-- 1 root root 1507 Nov 13 17:29 python

-rw-r--r-- 1 root root  966 Nov 13 17:29 ruby

-rw-r--r-- 1 root root  700 Nov 13 17:29 samba

-rw-r--r-- 1 root root  476 Nov 13 17:29 smbpass

-rw-r--r-- 1 root root  742 Nov 13 17:29 ssl_certs

-rw-r--r-- 1 root root  556 Nov 13 17:29 ssl_keys

-rw-r--r-- 1 root root 1646 Nov 13 17:29 svn-repositories

-rw-r--r-- 1 root root  682 Nov 13 17:29 ubuntu-bittorrent-clients

-rw-r--r-- 1 root root 1615 Nov 13 17:29 ubuntu-browsers

drwxr-xr-x 2 root root 4096 Nov 13 17:29 ubuntu-browsers.d

-rw-r--r-- 1 root root  611 Nov 13 17:29 ubuntu-console-browsers

-rw-r--r-- 1 root root  601 Nov 13 17:29 ubuntu-console-email

-rw-r--r-- 1 root root  809 Nov 13 17:29 ubuntu-email

-rw-r--r-- 1 root root  339 Nov 13 17:29 ubuntu-feed-readers

-rw-r--r-- 1 root root  182 Nov 13 17:29 ubuntu-gnome-terminal

-rw-r--r-- 1 root root 2978 Nov 13 17:29 ubuntu-helpers

-rw-r--r-- 1 root root  343 Nov 13 17:29 ubuntu-konsole

-rw-r--r-- 1 root root 2234 Nov 13 17:29 ubuntu-media-players

-rw-r--r-- 1 root root  237 Nov 13 17:29 ubuntu-xterm

-rw-r--r-- 1 root root  750 Nov 13 17:29 user-download

-rw-r--r-- 1 root root  786 Nov 13 17:29 user-mail

-rw-r--r-- 1 root root  889 Nov 13 17:29 user-manpages

-rw-r--r-- 1 root root  654 Nov 13 17:29 user-tmp

-rw-r--r-- 1 root root  717 Nov 13 17:29 user-write

-rw-r--r-- 1 root root  123 Nov 13 17:29 video

-rw-r--r-- 1 root root  705 Nov 13 17:29 web-data

-rw-r--r-- 1 root root  739 Nov 13 17:29 winbind

-rw-r--r-- 1 root root  585 Nov 13 17:29 wutmp

-rw-r--r-- 1 root root 1450 Nov 13 17:29 X

-rw-r--r-- 1 root root  883 Nov 13 17:29 xad

-rw-r--r-- 1 root root  673 Nov 13 17:29 xdg-desktop

```

the profile dbus-accessibility,  should not at least reported in http://www.portagefilelist.de/site/query/file/? ?

Thanks,

S. Fox

----------

## kensington

Missing abstractions/dbus-accessibility looks like bug #494426 come back to life.

----------

## Superfox_il_Volpone

hello,

should I file a new bug then?

----------

## kensington

Yes please.

----------

## Gentoo64

I find the most secure and reliable way is not to install the apparmor-profiles package, just make the dir's yourself and use abstractions/base and write the profiles entirely by hand. It takes a lot longer but you know exactly what's being enforced.

----------

