Skip to content
    • Welcome to the Linux Foundation Forum!

    Lab 33.2. Explore the apparmor Security not practicable under ubuntu 22.04?

    Posts: 5
    edited December 2024 in LFS207 Class Forum

    I cannot do the lab exercise 33.2 in the described form.

    Essentially there are two main issues:

    Creating a new binary ping-x makes that one entirely accesible without any restrictions from apparmor as there is no global rule to block anything new.
    I created a resticted file /etc/apparmor.d/usr.bin.ping-x and the digged further to allow functionallity with dmesg | grep DENIED
    As the second issue aa-genprof /usr/bin/ping-x didn't do a correct job (seems like apparmor="DENIED" operation="file_mmap" is not detected correct and only given read-permissions.
    So I reviewed by my own and added the neccessary permissions:

    /usr/bin/ping-x {

    capability net_raw,

    network inet,
    deny network inet6,

    /etc/ld.so.cache rm,
    /usr/lib/** rm,

    }

    followed by apparmor_parser -r /etc/apparmor.d/usr.bin.ping-x .

    Then I could follow the exercise in some way. Blocking ipv6 did not work either but I did not follow that further.

    Did I miss anything or is the exercise tested under openSuse which behaves otherwise?

    Comments

    Welcome!

    It looks like you're new here. Sign in or register to get started.
    Sign In

    Welcome!

    It looks like you're new here. Sign in or register to get started.
    Sign In

    Quick Links

    Categories

    Upcoming Training