Apparmor is not throwing DENIAL messages
Hi Team,
I was trying to enable apparmor on the openBMC (https://github.com/openbmc/openbmc) I pulled the apparmor in the openbmc image through yocto bitbake recipe (http://git.yoctoproject.org/cgit/cgit.cgi/meta-security/tree/recipes-security/AppArmor/apparmor_2.11.0.bb?h=pyro)
Issue: Now after that I made a profile for one of the application but I am not getting any DENIAL message although my profile is empty.
What I did:
- I wrote the following profile
root@abc:~# cat /etc/apparmor.d/usr.bin.phosphor-network-snmpconf
Last Modified: Thu Jul 29 14:30:33 2021
#include <tunables/global>
/usr/bin/phosphor-network-snmpconf flags=(complain) {
#include <abstractions/base>
}
- Reload the apparmor profiles
systemctl apparmor reload
I ran the binary under complain mode through the following command.
aa-complain /usr/bin/phosphor-network-snmpconf
Setting /usr/bin/phosphor-network-snmpconf to complain mode.
[ 875.716595] kauditd_printk_skb: 40 callbacks suppressed
[ 875.716649] audit: type=1400 audit(1627637368.796:113): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="" name="/usr/bin/phosphor-network-snmpconf" pid=815 comm="apparmor_parser"
Restart the snmp service which internally calls the phosphor-network-snmpconf
systemctl restart xyz.openbmc_project.Network.SNMP.service
- How the above service file looks like
- Output of aa-status as follows:
============================
root@abc:~# aa-status
apparmor module is loaded.
48 profiles are loaded.
47 profiles are in enforce mode.
/usr/lib/apache2/mpm-prefork/apache2
/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
/usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
/usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
apache2
apache2//DEFAULT_URI
apache2//HANDLING_UNTRUSTED_INPUT
apache2//phpsysinfo
avahi-daemon
dnsmasq
dnsmasq//libvirt_leaseshelper
dovecot
dovecot-anvil
dovecot-auth
dovecot-config
dovecot-deliver
dovecot-dict
dovecot-dovecot-auth
dovecot-dovecot-lda
dovecot-dovecot-lda//sendmail
dovecot-imap
dovecot-imap-login
dovecot-lmtp
dovecot-log
dovecot-managesieve
dovecot-managesieve-login
dovecot-pop3
dovecot-pop3-login
dovecot-script-login
dovecot-ssl-params
dovecot-stats
identd
klogd
lsb_release
mdnsd
nmbd
nscd
ntpd
php-fpm
ping
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
traceroute
winbindd
1 profiles are in complain mode.
/usr/bin/phosphor-network-snmpconf
0 profiles are in kill mode.
0 profiles are in unconfined mode.
1 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
1 processes are unconfined but have a profile defined.
/usr/bin/phosphor-network-snmpconf (825)
0 processes are in mixed mode.
0 processes are in kill mode.
- Source code of snmp service : https://github.com/openbmc/phosphor-snmp
Expectation was that when I run the SNMP service , it should throw the DENIAL messages but I am not getting any DENIAL messages, Only message which I am getting is for apparmor is "profile_replace"
Can you please let me know where I am making the mistake so apparmor should start throwing the AVC DENIAL message?