Development environment

Set up a development environment suitable for modifying AppArmor profiles

sudo mount -o remount,rw /
sudo apt-get install vim  # or your favourite text editor
sudo apt-get install apparmor-utils

Add or modify the AppArmor profile

  1. Create or modify the profile in /etc/apparmor.d
    • Profiles are named after the full path to the executable they confine, with / replaced by .
    • See below for guidance on the profile language; if creating a profile from scratch, you could use aa-genprof to bootstrap it (again, see below)
  2. Test the profile’s syntax by parsing it: sudo apparmor_parser -r < /etc/apparmor.d/my.new.profile
  3. Update the cache: /lib/apparmor/recache-profiles
  4. Reboot to ensure the new profile is loaded correctly
  5. Check the profile is loaded and enforcing by running sudo aa-status
  6. Run the program you’re confining, then check for AppArmor denials:
    • sudo grep DENIED /var/log/audit/audit.log
    • sudo journalctl -b | grep DENIED
  7. If denials remain, return to step #1: modify the profile to account for the denials, then re-parse and re-test it
  8. Once the profile is perfect, submit it for review, then add it to the relevant package, typically in the debian/apparmor.d directory

References

Creating a profile

Profile language