root@geeko:/home/cb/linuxtag/apparmor/scripts> aa-genprof ./hello Writing updated profile for /home/cb/linuxtag/apparmor/scripts/hello. Setting /home/cb/linuxtag/apparmor/scripts/hello to complain mode. Before you begin, you may wish to check if a profile already exists for the application you wish to confine. See the following wiki page for more information: http://wiki.apparmor.net/index.php/Profiles Please start the application to be profiled in another window and exercise its functionality now. Once completed, select the "Scan" button below in order to scan the system logs for AppArmor events. For each AppArmor event, you will be given the opportunity to choose whether the access should be allowed or denied. Profiling: /home/cb/linuxtag/apparmor/scripts/hello [(S)can system log for AppArmor events] / (F)inish Reading log entries from /var/log/audit/audit.log. Updating AppArmor profiles in /etc/apparmor.d. Profile: /home/cb/linuxtag/apparmor/scripts/hello Execute: /usr/bin/cat Severity: unknown (I)nherit / (P)rofile / (C)hild / (N)ame / (U)nconfined / (X)ix / (D)eny / Abo(r)t / (F)inish Profile: /home/cb/linuxtag/apparmor/scripts/hello Execute: /usr/bin/rm Severity: unknown (I)nherit / (P)rofile / (C)hild / (N)ame / (U)nconfined / (X)ix / (D)eny / Abo(r)t / (F)inish Should AppArmor sanitize the environment when switching profiles? Sanitizing the environment is more secure, but some applications depend on the presence of LD_PRELOAD or LD_LIBRARY_PATH. (Y)es / [(N)o] Complain-mode changes: Profile: /home/cb/linuxtag/apparmor/scripts/hello Path: /dev/tty Mode: rw Severity: 9 1 - #include 2 - #include 3 - #include [4 - /dev/tty] [(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts Adding /dev/tty rw to profile. Profile: /home/cb/linuxtag/apparmor/scripts/hello Path: /home/sys-tmp/hello.txt Mode: rw Severity: 6 1 - /home/sys-tmp/hello.txt [2 - /home/*/hello.txt] [(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts Profile: /home/cb/linuxtag/apparmor/scripts/hello Path: /home/sys-tmp/hello.txt Mode: rw Severity: 6 [1 - /home/sys-tmp/hello.txt] 2 - /home/*/hello.txt [(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts Adding /home/sys-tmp/hello.txt rw to profile. Profile: /home/cb/linuxtag/apparmor/scripts/hello^/usr/bin/rm Path: /home/sys-tmp/hello.txt Mode: w Severity: 6 1 - /home/sys-tmp/hello.txt [2 - /home/*/hello.txt] [(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts Profile: /home/cb/linuxtag/apparmor/scripts/hello^/usr/bin/rm Path: /home/sys-tmp/hello.txt Mode: w Severity: 6 [1 - /home/sys-tmp/hello.txt] 2 - /home/*/hello.txt [(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts Adding /home/sys-tmp/hello.txt w to profile. = Changed Local Profiles = The following local profiles were changed. Would you like to save them? [1 - /home/cb/linuxtag/apparmor/scripts/hello] (S)ave Changes / [(V)iew Changes] / Abo(r)t Writing updated profile for /home/cb/linuxtag/apparmor/scripts/hello. Profiling: /home/cb/linuxtag/apparmor/scripts/hello [(S)can system log for AppArmor events] / (F)inish Setting /home/cb/linuxtag/apparmor/scripts/hello to enforce mode. Reloaded AppArmor profiles in enforce mode. Please consider contributing your new profile! See the following wiki page for more information: http://wiki.apparmor.net/index.php/Profiles Finished generating profile for /home/cb/linuxtag/apparmor/scripts/hello. root@geeko:/home/cb/linuxtag/apparmor/scripts> aa-logprof Reading log entries from /var/log/audit/audit.log. Updating AppArmor profiles in /etc/apparmor.d. Complain-mode changes: Profile: /home/cb/linuxtag/apparmor/scripts/hello Path: /usr/bin/rm Old Mode: Cx New Mode: rCx Severity: unknown [1 - /usr/bin/rm] [(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts Adding /usr/bin/rm rCx to profile. = Changed Local Profiles = The following local profiles were changed. Would you like to save them? [1 - /home/cb/linuxtag/apparmor/scripts/hello] (S)ave Changes / [(V)iew Changes] / Abo(r)t Writing updated profile for /home/cb/linuxtag/apparmor/scripts/hello.