=== chris14_ is now known as chris14
snctfdhowdy, been working with apparmor and noticed some subprofiles were being generated and showing up in apparmor_status, e.g. `[base profile]//null-/bin/cat`. the documentation seems to vaguely hint that this is a "dynamically generated learning profile" (as per https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorProfileSpec#special-prefixes), but i'd like to know when exactly these are created09:37
ebarrettojjohansen, ^09:38
snctfdfor context, the base profile is running in complain mode and most (if not all) executables specified in the profile are marked as `ix` - am i correct in assuming that the permitted executables will not trigger the creation of these learning profiles, since they are set to inherit the base profile?09:41
snctfdin this case, `/bin/cat` is not actually allowed in the profile, so i'm assuming the default behavior given that the profile is in complain mode is simply "complain and assign the new process a learning profile"09:44
jjohansensnctfd, ebarretto: those null-XXX profiles are created when a profile is in complain mode and it executes an application without matching a rule in the profile. This is done even if the application has a profile defined because apparmor does not know if the application being executed will use the predefined profile or if the complain profile will use a different profile, inherit ...10:38
jjohansensnctfd: you are correct that if a rule exists that specifies ix then the application should inherit and not create a null-XXX profile10:39
jjohansenand yes, because /bin/cat does not have a rule covering it that would be why it gets a null-XXX profile10:40
snctfdjjohansen, gotcha, thanks a lot :)10:54
snctfdjjohansen: follow-up question - what rules exactly do these null-XXX profiles contain? is it just an "audit everything" type deal?10:59
jjohansensnctfd: well atm, they contain no rules, and unfortunately an old set abi. That is they don't inherit the parents abi11:00
jjohansenthis means they won't audit some rule types atm11:00
jjohansenand they will re-audit accesses on each occurance11:00
jjohansenso, pita. Good to get rid of as soon as possible11:01
jjohansenthere is wip to give them a cache so they can remember what has already been audited11:01
jjohansenand also inherit the parent profile abi11:02
jjohansenthe cache will have a size limit but it should greatly reduce repeat audit11:02
jjohansenbut that hasn't landed yet, and I don't expect we will get it done for mantic with the feature window being only a few weeks away and other stuff a priority11:03
snctfdthat makes sense, will keep an eye out for it going forward :)11:04
snctfdlast question, hopefully; is there a way to change the default behavior when executing disallowed files in complain mode from "give child a null-XXX profile" to "inherit profile"?11:04
snctfdhaven't been able to find anything about this so i'm assuming there isn't, but worth a shot asking lol11:04
jjohansensorry no there isn't. You might be able to get away with a generic exec rule, ie.11:08
jjohansen  /** ix,11:08
jjohansenbut if you have any other type of x rule in the profile it will cause conflicts. That is something I hope we can have fixed for 23.1011:08
snctfdyeah, thought that might be the case11:09
snctfdthanks for your time, much appreciated :))11:09
=== chris14_ is now known as chris14
=== JanC_ is now known as JanC

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!