Differences between revisions 20 and 21
Revision 20 as of 2015-02-01 17:48:57
Size: 4522
Editor: UlrikeUhlig
Comment:
Revision 21 as of 2015-02-02 12:37:15
Size: 4643
Editor: UlrikeUhlig
Comment: aa-notify
Deletions are marked like this. Additions are marked like this.
Line 10: Line 10:
{{{ aa-notify -p }}} {{{ sudo aa-notify -p }}}

If you use auditd, you should start `aa-notify` like this:

{{{sudo aa-notify -p -f /var/log/audit/audit.log}}

Translation(s): none


Desktop notifications

The aa-notify command is able to provide a desktop notification whenever a program causes a DENIED message in /var/log/kern.log. It can be started like this (the user who starts aa-notify needs to have read permissions for /var/log/kern.log):

 sudo aa-notify -p 

If you use auditd, you should start aa-notify like this:

{sudo aa-notify -p -f /var/log/audit/audit.log

Diagnose if a bug might have been caused by AppArmor

The apparmor-utils package provides many useful commands to debug AppArmor.

  • Find out if AppArmor is enabled - this should return true if AppArmor is enabled

    • test -d /sys/module/apparmor

  • Find out which profiles are enabled
    •  sudo aa-status  This will list all loaded AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined).

  • Output a list of processes with tcp or udp ports that do _not_ have AppArmor profiles loaded

    • sudo aa-unconfined also possible with the --paranoid parameter

  • $ ps auxZ | grep -v '^unconfined'

    • will list running executables which are currently confined by an AppArmor profile.

  • Sometimes, it's useful to disable a profile and to test again if the bug persists:
    •  sudo aa-disable /etc/apparmor.d/$profile  e.g. sudo aa-disable /etc/apparmor.d/usr.bin.pidgin One can re-enable the profile like this:  sudo aa-enforce /etc/apparmor.d/$profile 

  • Verify the logs
    •  sudo tail -f /var/log/syslog | grep 'DENIED'  or (if auditd is installed):  sudo tail -f /var/log/auditd/auditd.log | grep 'DENIED'  The "DENIED" lines should provide more information on what concrete process or access to the file system has been denied.

Debug a profile

Quick guide

  • Read syslog sudo tail -f /var/log/syslog | grep DENIED or sudo tail -f /var/log/auditd/audit.log | grep DENIED

  • sudo aa-disable /etc/apparmor.d/$profile where "$profile" is the name of the application's profile, e.g. sudo aa-disable /etc/apparmor.d/usr.bin.pidgin

  • edit the profile, using a text editor
  • sudo aa-enforce /etc/apparmor.d/$profile where "$profile" is the name of the application's profile

  • or sudo aa-complain /etc/apparmor.d/$profile where "$profile" is the name of the application's profile

  • To simply reload one profile into the kernel once you've modified its contents use apparmor_parser(8):

    • sudo apparmor_parser -r /etc/apparmor.d/profile.name e.g. sudo apparmor_parser -r /etc/apparmor.d/usr.bin.pidgin

  • restart application, reverify logs.

Testing

Testing new profiles in particular should always be done in a clean Sid environment.

In a nutshell:

  • fire up a sid VM
  • apt install apparmor

  • add apparmor=1 security=apparmor to the kernel command-line

  • drop the profile in place, that is /etc/apparmor.d`
  • reboot
  • test the software at will.

External documentation

Report a bug

If you've found a bug in an AppArmor profile provided either by apparmor-profiles-extra or a software in Debian which ships its own profile, you might want to report a bug. As the Debian Bug Tracking System is package-centric, only the package maintainers will be automatically made aware you reported this bug. That is why we kindly ask you to usertag your bugs, so that the Debian AppArmor Packaging Team will also be notified if AppArmor is involved or if you need help diagnosing this very fact.

The usertags you should use are:

  • with the tag "help-needed", to request help for initial diagnosis.

  • with the tag "buggy-profile" if AppArmor has been identified as culprit

You can find out more on usertagging bugs in our dedicated documentation.