●px discrete profile execute
●Px discrete profile execute after scrubbing the environment
●ix inherit execute
●m allow PROT_EXEC with mmap(2) calls
●l – link
For more information about complete AppArmor profile syntax, please see the apparmor.d man page.
AppArmor profiles are loaded into the kernel by the apparmor_parser tool. apparmor_parser can load new profiles, replace profiles, and remove profiles. Profiles can optionally and individually be selected to be loaded in “Complain” mode so that AppArmor does not enforce the profile but just logs an error message if access would be denied by AppArmor with the profile. For more information on apparmor_parser, see the apparmor_parser man page.
AppArmor also provides a status tool, apparmor_status. apparmor_status provides information about the number of profiles loaded in enforcing and complaining mode and the number of running processes being confined by AppArmor. For more information on apparmor_status please see the apparmor_status man page.
The confined program reports which programs with open network sockets are running without the protection of an AppArmor profile. The complain program allows an authorized administrator to switch AppArmor out of enforcing mode and into complaining mode for a targeted program. The enforce program allows an authorized administrator to do the opposite, switch from complain to enforcing mode for a particular profile. genprof can be used to generate a profile with all of the permission that were exercised during a test run of the targeted program. Please see the confined, enforce, complain, and genprof man pages for more detail.
For an application contained by an AppArmor profile, access that is not explicitly allowed is denied.
5.8.2AppArmor access control functions
AppArmor access control functions are called through LSM hooks from various points in the kernel when new subjects and objects are created, when access between subject and object is mediated, and when subject and object security attributes transition to different values (such as during an execve()call). The AppArmor profile is applied to a process during the execve() call. If an AppArmor profile for an executable is loaded after instances of that executable have already started running, the preexisting processes will not be confined by AppArmor. Please see the apparmor man page for additional detail.
5.8.3securityfs
Communication between the AppArmor kernel component and the AppArmor administrative utilities takes place through the securityfs interface, mounted at /sys/kernel/security/apparmor. apparmor_parser uses /sys/kernel/security/apparmor/.load to load new profiles and likewise uses /sys/kernel/security/apparmor/.replace and /sys/kernel/security/apparmor/.remove to replace and remove profiles. apparmor_status uses /sys/kernel/security/apparmor/profiles to generate the status report.
151
