apparmor-session-lockdown-no-deny manual

medium

Image Types:
basesdk-amd64 / minimal-armhf-internal / minimal-armhf / minimal-arm64 / minimal-amd64 / sdk-amd64 / target-armhf-internal / target-amd64
Image Deployment:
APT
Type:
functional

Description

Test that the session lockdown profile is not blocking more than it should.


Pre Conditions

  1. Ensure Rootfs is remounted as read/write.
  2. $ sudo mount -o remount,rw /

  3. Install dependencies
  4. $ sudo apt install apertis-tests-apparmor-report apparmor-utils aa-status

  5. Restart the system to restore the filesystem state to read-only before running the test.
  6. $ sudo reboot


Execution Steps

  1. Ensure pulseaudio is running:
  2. $ pactl stat

  3. No need to check the output of the command.
  4. Now ensure AppArmor is enabled and working, by running aa-status:
  5. $ sudo aa-status

  6. Then ensure the audit log file has no AppArmor complaints:
  7. $ sudo journalctl -b -t audit -o cat | ./aa_log_extract_tokens.sh DENIED


Expected

aa-status should show at least the following processes in complain mode:

/usr/bin/Xorg

/usr/sbin/connmand

And at least the following processes in enforce mode:

/usr/bin/pulseaudio

/usr/lib/tracker/tracker-miner-fs

/usr/lib/tracker/tracker-store

/usr/sbin/ofonod

Note that there may be processes in other modes, such as in enforce mode, uncontained, or complain mode. Also note that the confinement status of profiles is irrelevant.

The aa_log_extract_tokens.sh command above should have no output.