diff options
Diffstat (limited to 'development/apparmor-debugging.mdwn')
| -rw-r--r-- | development/apparmor-debugging.mdwn | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/development/apparmor-debugging.mdwn b/development/apparmor-debugging.mdwn new file mode 100644 index 0000000..8a0244f --- /dev/null +++ b/development/apparmor-debugging.mdwn @@ -0,0 +1,24 @@ +# Apparmor Debugging + +First look at the processes profile and skim the [query language][2]. + +## Tracking denials + +Turn on complain mode + + aa-complain <profile> + +This does not track [denials][1]. So do a + + apparmor_parser -pq /etc/apparmor.d/the.profile.to.check + +and check for denails, turn them into "audit deny" for debugging. + +## Other things to watch out for + +* Process environments are usually cleared. So if a confined process spawns + a subprocess that relies on environments vars this might trigger problems + + +[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826218 +[2]: http://wiki.apparmor.net/index.php/QuickProfileLanguage |