apparmor-session-lockdown-no-deny manual

medium

Image Types:
basesdk-amd64 / minimal-armhf-internal / minimal-armhf / minimal-arm64 / minimal-amd64 / sdk-amd64 / target-armhf-internal / target-amd64
Image Deployment:
APT
Type:
functional

Description

Test that the session lockdown profile is not blocking more than it should.

Pre Conditions

  1. Ensure Rootfs is remounted as read/write.
    2. $ sudo mount -o remount,rw /
  2. Install dependencies
    3. $ sudo apt install apertis-tests-apparmor-report apparmor-utils
  3. Restart the system to restore the filesystem state to read-only before running the test.
    4. $ sudo reboot

Execution Steps

  1. First of all clean the auditd logs to ensure only new messages are seen:
    2. $ echo -n | sudo tee /var/log/audit/audit.log
  2. Then reboot the image.
    3. $ sudo reboot
  3. Ensure pulseaudio is running:
    4. $ pactl stat
  4. No need to check the output of the command.
  5. Now ensure AppArmor is enabled and working, by running aa-status:
    6. $ sudo aa-status
  6. Then ensure the audit log file has no AppArmor complaints:
    7. $ sudo cat /var/log/audit/audit.log | sudo aa_log_extract_tokens.pl REJECTING

Expected

aa-status should show at least the following processes in complain mode:

/usr/bin/Xorg

/usr/sbin/connmand

And at least the following processes in enforce mode:

/usr/bin/pulseaudio

/usr/lib/tracker/tracker-miner-fs

/usr/lib/tracker/tracker-store

/usr/sbin/ofonod

Note that there may be processes in other modes, such as in enforce mode, uncontained, or complain mode. Also note that the confinement status of profiles is irrelevant.

The aa_log_extract_tokens.pl command above should have no output.