Re: Apparmor: 1 processes are unconfined but have a profile defined

On Fri, Jul 30, 2021 at 3:24 PM Ratan Gupta <ratankgupta31@gmail.com> wrote:

Hi Team,

Looking for your help.

I have gone through the following link where the similar issue was asked.

https://lists.debian.org/debian-user/2018/07/msg00542.html

Issue: I made a profile for the application, and it is not getting confined by the apparmor.

What I did:

1) I wrote the following profile

root@abc:~# cat /etc/apparmor.d/usr.bin.phosphor-network-snmpconf
# Last Modified: Thu Jul 29 14:30:33 2021
#include <tunables/global>

/usr/bin/phosphor-network-snmpconf flags=(complain) {
  #include <abstractions/base>

  /lib/x86_64-linux-gnu/ld-*.so mr,
  /usr/bin/phosphor-network-snmpconf mr,
}

2) Reload the apparmor profiles
/etc/init.d/apparmor reload

3)

I ran the binary under complain mode through the following command.

aa-complain /usr/bin/phosphor-network-snmpconf

Setting /usr/bin/phosphor-network-snmpconf to complain mode.

[ 875.716595] kauditd_printk_skb: 40 callbacks suppressed

[ 875.716649] audit: type=1400 audit(1627637368.796:113): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="" name="/usr/bin/phosphor-network-snmpconf" pid=815 comm="apparmor_parser"



4)

Restart the snmp service which internally calls the phosphor-network-snmpconf

systemctl restart xyz.openbmc_project.Network.SNMP.service

4) How the above service file looks like

https://github.com/openbmc/openbmc/blob/1497c9c9c743277815d7b19f6112bf20c1e24c4f/meta-phosphor/recipes-phosphor/network/phosphor-snmp/xyz.openbmc_project.Network.SNMP.service

5) Output of aa-status as follows:

============================

root@abc:~# aa-status

apparmor module is loaded.

48 profiles are loaded.

47 profiles are in enforce mode.

   /usr/lib/apache2/mpm-prefork/apache2

   /usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI

   /usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT

   /usr/lib/apache2/mpm-prefork/apache2//phpsysinfo

   apache2

   apache2//DEFAULT_URI

   apache2//HANDLING_UNTRUSTED_INPUT

   apache2//phpsysinfo

   avahi-daemon

   dnsmasq

   dnsmasq//libvirt_leaseshelper

   dovecot

   dovecot-anvil

   dovecot-auth

   dovecot-config

   dovecot-deliver

   dovecot-dict

   dovecot-dovecot-auth

   dovecot-dovecot-lda

   dovecot-dovecot-lda//sendmail

   dovecot-imap

   dovecot-imap-login

   dovecot-lmtp

   dovecot-log

   dovecot-managesieve

   dovecot-managesieve-login

   dovecot-pop3

   dovecot-pop3-login

   dovecot-script-login

   dovecot-ssl-params

   dovecot-stats

   identd

   klogd

   lsb_release

   mdnsd

   nmbd

   nscd

   ntpd

   php-fpm

   ping

   smbd

   smbldap-useradd

   smbldap-useradd///etc/init.d/nscd

   syslog-ng

   syslogd

   traceroute

   winbindd

1 profiles are in complain mode.

   /usr/bin/phosphor-network-snmpconf

0 profiles are in kill mode.

0 profiles are in unconfined mode.

1 processes have profiles defined.

0 processes are in enforce mode.

0 processes are in complain mode.

1 processes are unconfined but have a profile defined.

   /usr/bin/phosphor-network-snmpconf (825)

0 processes are in mixed mode.

0 processes are in kill mode.

7) Source code of snmp service : https://github.com/openbmc/phosphor-snmp

Expectation was that when I run the SNMP service , it should throw the DENIAL messages but I am not getting any DENIAL messages as the process is unconfined.

Can you please let me know where I am making the mistake.

Ratan