Some apparmor debugging

author: Guido Günther <agx@sigxcpu.org> 2016-06-05 13:35:00 +0200
committer: Guido Günther <agx@sigxcpu.org> 2016-06-05 13:35:00 +0200
commit: 756424f87f253437053ea26b5410e09c06f55e30 (patch)
tree: 1b222fc6968f93ea932863034bcd68bdcb4a3743 /development/apparmor-debugging.mdwn
parent: bba9879ef6fbff7d3e8b3a491939b23b61fcc976 (diff)
1 files changed, 24 insertions, 0 deletions
diff --git a/development/apparmor-debugging.mdwn b/development/apparmor-debugging.mdwn
new file mode 100644
index 0000000..8a0244f
--- /dev/null
+++ b/development/apparmor-debugging.mdwn
@@ -0,0 +1,24 @@
+# Apparmor Debugging
+
+First look at the processes profile and skim the [query language][2].
+
+## Tracking denials
+
+Turn on complain mode
+
+    aa-complain <profile>
+
+This does not track [denials][1]. So do a
+
+	apparmor_parser -pq /etc/apparmor.d/the.profile.to.check
+
+and check for denails, turn them into "audit deny" for debugging.
+
+## Other things to watch out for
+
+* Process environments are usually cleared. So if a confined process spawns
+  a subprocess that relies on environments vars this might trigger problems
+
+
+[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826218
+[2]: http://wiki.apparmor.net/index.php/QuickProfileLanguage
author	Guido Günther <agx@sigxcpu.org>	2016-06-05 13:35:00 +0200
committer	Guido Günther <agx@sigxcpu.org>	2016-06-05 13:35:00 +0200
commit	756424f87f253437053ea26b5410e09c06f55e30 (patch)
tree	1b222fc6968f93ea932863034bcd68bdcb4a3743 /development/apparmor-debugging.mdwn
parent	bba9879ef6fbff7d3e8b3a491939b23b61fcc976 (diff)