1
# $Id: logprof.pod 190 2006-11-03 09:47:55Z seth_arnold $
2
# This publication is intellectual property of Novell Inc. Its contents
3
# can be duplicated, either in part or in whole, provided that a copyright
4
# label is visibly located on each copy.
6
# All information found in this book has been compiled with utmost
7
# attention to detail. However, this does not guarantee complete accuracy.
8
# Neither SUSE LINUX GmbH, the authors, nor the translators shall be held
9
# liable for possible errors or the consequences thereof.
11
# Many of the software and hardware descriptions cited in this book
12
# are registered trademarks. All trade names are subject to copyright
13
# restrictions and may be registered trade marks. SUSE LINUX GmbH
14
# essentially adheres to the manufacturer's spelling.
16
# Names of products and trademarks appearing in this book (with or without
17
# specific notation) are likewise subject to trademark and trade protection
18
# laws and may thus fall under copyright restrictions.
20
# Please direct suggestions and comments to apparmor-general@forge.novell.com.
27
logprof - utility program for managing AppArmor security profiles
31
B<logprof [I<-d /path/to/profiles>] [I<-f /path/to/logfile>] [I<-m E<lt>mark in logfileE<gt>>]>
35
B<-d --dir /path/to/profiles>
37
The path to where the AppArmor security profiles are stored
39
B<-f --file /path/to/logfile>
41
The path to the location of the logfile that contains AppArmor
44
B< -m --logmark "mark">
46
logprof will ignore all events in the system log before the
47
specified mark is seen. If the mark contains spaces, it must
48
be surrounded with quotes to work correctly.
52
B<logprof> is an interactive tool used to review AppArmor's
53
complain mode output and generate new entries for AppArmor security
56
Running logprof will scan the log file and if there are new AppArmor
57
events that are not covered by the existing profile set, the user will
58
be prompted with suggested modifications to augment the profile.
60
When logprof exits profile changes are saved to disk. If AppArmor is
61
running, the updated profiles are reloaded and if any processes that
62
generated AppArmor events are still running in the null-complain-profile,
63
those processes are set to run under their proper profiles.
65
=head2 Responding to AppArmor Events
67
B<logprof> will generate a list of suggested profile changes that
68
the user can choose from, or they can create their own, to modifiy the
69
permission set of the profile so that the generated access violation
72
The user is then presented with info about the access including profile,
73
path, old mode if there was a previous entry in the profile for this path,
74
new mode, the suggestion list, and given these options:
76
(A)llow, (D)eny, (N)ew, (G)lob last piece, (Q)uit
78
If the AppArmor profile was in complain mode when the event was generated,
79
the default for this option is (A)llow, otherwise, it's (D)eny.
81
The suggestion list is presented as a numbered list with includes
82
at the top, the literal path in the middle, and the suggested globs
83
at the bottom. If any globs are being suggested, the shortest glob
84
is the selected option, otherwise, the literal path is selected.
85
Picking includes from the list must be done manually.
87
Hitting a numbered key will change the selected option to the
88
corresponding numbered entry in the list.
90
If the user selects (N)ew, they'll be prompted to enter their own globbed
91
entry to match the path. If the user-entered glob does not match the
92
path for this event, they'll be informed and have the option to fix it.
94
If the user selects (G)lob last piece then, taking the currently selected
95
option, logprof will remove the last path element and replace it with /*.
97
If the last path element already was /*, logprof will go up a directory
98
level and replace it with /**.
100
This new globbed entry is then added to the suggestion list and marked
101
as the selected option.
103
So /usr/share/themes/foo/bar/baz.gif can be turned into
104
/usr/share/themes/** by hitting "g" three times.
106
If the user selects (A)llow, logprof will take the current selection
107
and add it to the profile, deleting other entries in the profile that
108
are matched by the new entry.
110
Adding r access to /usr/share/themes/** would delete an entry for r
111
access to /usr/share/themes/foo/*.gif if it exists in the profile.
113
If (Q)uit is selected at this point, logprof will ignore all new pending
114
capability and path accesses.
116
After all of the path accesses have been handled, logrof will write all
117
updated profiles to the disk and reload them if AppArmor is running.
119
=head2 New Process (Execution) Events
121
If there are unhandled x accesses generated by the execve(2) of a
122
new process, logprof will display the parent profile and the target
123
program that's being executed and prompt the user to select and execute
124
modifier. These modifiers will allow a choice for the target to: have it's
125
own profile (px), inherit the parent's profile (ix), run unconstrained
126
(ux), or deny access for the target. See apparmor.d(5) for details.
128
If there is a corresponding entry for the target in the qualifiers
129
section of /etc/logprof.conf, the presented list will contain only the
132
The default option for this question is selected using this logic--
134
# if px mode is allowed and profile exists for the target
136
# else if ix mode is allowed
141
logprof will never suggest "ux" as the default.
143
=head2 ChangeHat Events
145
If unknown change_hat(2) events are found, the user is prompted to add a new
146
hat, if the events should go into the default hat for this profile based
147
on the corresponding entry in the defaulthat section of logprof.conf,
148
or if the following events that run under that hat should be denied
151
=head2 Capability Events
153
If there are capability accesses, the user is shown each capability
154
access and asked if the capability should be allowed, denied, or if the
155
user wants to quit. See capability(7) for details.
159
None. Please report any you find to bugzilla at
160
L<http://bugzilla.novell.com>.
164
klogd(8), auditd(8), apparmor(7), apparmor.d(5), change_hat(2),
165
logprof.conf(5), genprof(1), complain(1), enforce(1), and
166
L<http://forge.novell.com/modules/xfmod/project/?apparmor>.
added
removed
docs/logprof.pod
