Skip to content
GitLab
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    • Switch to GitLab Next
    Projects Groups Snippets
  • Sign up now
  • Login
  • Sign in / Register
  • apparmor apparmor
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 129
    • Issues 129
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 25
    • Merge requests 25
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • AppArmorAppArmor
  • apparmorapparmor
  • Issues
  • #183
Closed
Open
Issue created Aug 02, 2021 by Ratan Gupta@ratagupt

Apparmor is not throwing DENIAL messages

Hi Team,

I was trying to enable apparmor on the openBMC (https://github.com/openbmc/openbmc) I pulled the apparmor in the openbmc image through yocto bitbake recipe (http://git.yoctoproject.org/cgit/cgit.cgi/meta-security/tree/recipes-security/AppArmor/apparmor_2.11.0.bb?h=pyro)

Issue: Now after that I made a profile for one of the application but I am not getting any DENIAL message although my profile is empty.

What I did:

  1. I wrote the following profile

root@abc:~# cat /etc/apparmor.d/usr.bin.phosphor-network-snmpconf

Last Modified: Thu Jul 29 14:30:33 2021

#include <tunables/global>

/usr/bin/phosphor-network-snmpconf flags=(complain) {

#include <abstractions/base>

}

  1. Reload the apparmor profiles

systemctl apparmor reload

I ran the binary under complain mode through the following command.

aa-complain /usr/bin/phosphor-network-snmpconf

Setting /usr/bin/phosphor-network-snmpconf to complain mode.

[ 875.716595] kauditd_printk_skb: 40 callbacks suppressed

[ 875.716649] audit: type=1400 audit(1627637368.796:113): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="" name="/usr/bin/phosphor-network-snmpconf" pid=815 comm="apparmor_parser"

Restart the snmp service which internally calls the phosphor-network-snmpconf

systemctl restart xyz.openbmc_project.Network.SNMP.service

  1. How the above service file looks like

https://github.com/openbmc/openbmc/blob/1497c9c9c743277815d7b19f6112bf20c1e24c4f/meta-phosphor/recipes-phosphor/network/phosphor-snmp/xyz.openbmc_project.Network.SNMP.service

  1. Output of aa-status as follows:

============================

root@abc:~# aa-status

apparmor module is loaded.

48 profiles are loaded.

47 profiles are in enforce mode.

/usr/lib/apache2/mpm-prefork/apache2

/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI

/usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT

/usr/lib/apache2/mpm-prefork/apache2//phpsysinfo

apache2

apache2//DEFAULT_URI

apache2//HANDLING_UNTRUSTED_INPUT

apache2//phpsysinfo

avahi-daemon

dnsmasq

dnsmasq//libvirt_leaseshelper

dovecot

dovecot-anvil

dovecot-auth

dovecot-config

dovecot-deliver

dovecot-dict

dovecot-dovecot-auth

dovecot-dovecot-lda

dovecot-dovecot-lda//sendmail

dovecot-imap

dovecot-imap-login

dovecot-lmtp

dovecot-log

dovecot-managesieve

dovecot-managesieve-login

dovecot-pop3

dovecot-pop3-login

dovecot-script-login

dovecot-ssl-params

dovecot-stats

identd

klogd

lsb_release

mdnsd

nmbd

nscd

ntpd

php-fpm

ping

smbd

smbldap-useradd

smbldap-useradd///etc/init.d/nscd

syslog-ng

syslogd

traceroute

winbindd

1 profiles are in complain mode.

/usr/bin/phosphor-network-snmpconf

0 profiles are in kill mode.

0 profiles are in unconfined mode.

1 processes have profiles defined.

0 processes are in enforce mode.

0 processes are in complain mode.

1 processes are unconfined but have a profile defined.

/usr/bin/phosphor-network-snmpconf (825)

0 processes are in mixed mode.

0 processes are in kill mode.

  1. Source code of snmp service : https://github.com/openbmc/phosphor-snmp

Expectation was that when I run the SNMP service , it should throw the DENIAL messages but I am not getting any DENIAL messages, Only message which I am getting is for apparmor is "profile_replace"

Can you please let me know where I am making the mistake so apparmor should start throwing the AVC DENIAL message?

Edited Aug 02, 2021 by Ratan Gupta
Assignee
Assign to
Time tracking