OnWorks Linux and Windows Online WorkStations

Logo

Free Hosting Online for WorkStations

< Previous | Contents | Next >

4.2. Profiles


AppArmor profiles are simple text files located in /etc/apparmor.d/. The files are named after the full path to the executable they profile replacing the "/" with ".". For example /etc/apparmor.d/bin.ping is the AppArmor profile for the /bin/ping command.


There are two main type of rules used in profiles:

Path entries: detail which files an application can access in the file system.

Capability entries: determine what privileges a confined process is allowed to use. As an example, take a look at /etc/apparmor.d/bin.ping:


#include <tunables/global>

/bin/ping flags=(complain) {

#include <abstractions/base>

#include <abstractions/consoles>

#include <abstractions/nameservice>


capability net_raw, capability setuid, network inet raw,


/bin/ping mixr,

/etc/modules.conf r,

}


#include <tunables/global>: include statements from other files. This allows statements pertaining to multiple applications to be placed in a common file.

/bin/ping flags=(complain): path to the profiled program, also setting the mode to complain.

capability net_raw,: allows the application access to the CAP_NET_RAW Posix.1e capability.

/bin/ping mixr,: allows the application read and execute access to the file.


image

After editing a profile file the profile must be reloaded. See Section 4.1, “Using AppArmor” [p. 194] for details.


 

Top OS Cloud Computing at OnWorks: