4
4
# NOVELL (All rights reserved)
6
# Copyright (c) 2010, 2011, 2012
7
7
# Canonical Ltd. (All rights reserved)
9
9
# This program is free software; you can redistribute it and/or
16
16
# GNU General Public License for more details.
18
18
# You should have received a copy of the GNU General Public License
19
# along with this program; if not, contact Novell, Inc.
19
# along with this program; if not, contact Canonical Ltd.
20
20
# ----------------------------------------------------------------------
35
35
AppArmor confinement is provided via I<profiles> loaded into the kernel
36
36
via apparmor_parser(8), typically through the F</etc/init.d/apparmor>
37
SysV initscript, which is used like this:
37
SysV initscript (on Ubuntu, also see UBUNTU POLICY LOAD, below), which is used
39
40
# /etc/init.d/apparmor start
40
41
# /etc/init.d/apparmor stop
95
96
A confined process can not call mknod(2) to create character or block devices.
98
=head1 UBUNTU POLICY LOAD
100
Ubuntu systems use Upstart instead of a traditional SysV init system. Because
101
Upstart is an event-driven init system and understanding that policy must be
102
loaded before execution, Ubuntu loads policy in two stages: first via upstart
103
jobs for binaries that are started in early boot, and then via a SysV
104
initscript that starts in S37 for all remaining policy. When developing
105
policy it is important to know how your application is started and if policy
106
load should be handled specially.
108
In general, nothing extra has to be done for applications without an initscript
109
or with an initscript that starts after AppArmor's second stage initscript.
111
If the confined application has an Upstart job, adjust the job to call
112
F</lib/init/apparmor-profile-load> with the filename of the policy file
113
(relative to F</etc/apparmor.d/>). For example:
116
/lib/init/apparmor-profile-load usr.bin.foo
119
If the confined application does not have an Upstart job but it starts before
120
AppArmor's second stage initscript, then add a symlink from the policy file in
121
F</etc/apparmor.d> to F</etc/apparmor/init/network-interface-security/>. For
124
# cd /etc/apparmor/init/network-interface-security/
125
# ln -s /etc/apparmor.d/usr.bin.foo .
127
The network-interface-security Upstart job will load all the symlinked policy
128
files in F</etc/apparmor/init/network-interface-security/> before any network
129
interfaces come up. Because network interfaces come up very early in the boot
130
process, this will help ensure that AppArmor policy is loaded before the
131
confined application starts.
99
135
When a confined process tries to access a file it does not have permission