[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apparmor: 1 processes are unconfined but have a profile defined

	Hi.

On Fri, Jul 13, 2018 at 07:10:51PM +0300, Ge wrote:
> Hello
> Im trying to make my own profiles for apparmor.
> 
> I made a profile for firefox-esr but for some reason i cant get apparmor
> to confine it.  I run aa-enforce firefox-esr but nothing change.

First, you're supposed to restart confined process, as Apparmor profile
applies on process start only.

Second, Apparmor applies to a full pathnames only, and aa-enforce is
dumb enough to pick /usr/bin/firefox-esr instead of a real firefox
binary (which should be /usr/lib/firefox-esr/firefox-esr).


> Any ideas?
> Thanks in advance for your help.

Third, I see a discrepancy here:

> $sudo aa-status
> apparmor module is loaded.
> 21 profiles are loaded.
> 21 profiles are in enforce mode.
>    /etc/apparmor.d/usr.lib.firefox-esr.firefox-esr
...
>    /usr/bin/firefox
...
> 3 processes are in enforce mode.
>    /usr/bin/freshclam (689)
>    /usr/lib/firefox-esr/plugin-container (1843)
...
> 1 processes are unconfined but have a profile defined.
>    /usr/lib/firefox-esr/firefox-esr (1798)

Which binary does your custom profile apply to?
Can you share it?

Reco
Reply to: