apparmor-session-lockdown-no-deny manual


Image Types:
basesdk-amd64 / minimal-armhf-internal / minimal-armhf / minimal-arm64 / minimal-amd64 / sdk-amd64 / target-armhf-internal / target-amd64
Image Deployment:


Test that the session lockdown profile is not blocking more than it should.

Pre Conditions

  1. Ensure Rootfs is remounted as read/write.
  2. $ sudo mount -o remount,rw /

  3. Install dependencies
  4. $ sudo apt install apertis-tests-apparmor-report apparmor-utils

  5. Restart the system to restore the filesystem state to read-only before running the test.
  6. $ sudo reboot

Execution Steps

  1. First of all clean the auditd logs to ensure only new messages are seen:
  2. $ echo -n | sudo tee /var/log/audit/audit.log

  3. Then reboot the image.
  4. $ sudo reboot

  5. Ensure pulseaudio is running:
  6. $ pactl stat

  7. No need to check the output of the command.
  8. Now ensure AppArmor is enabled and working, by running aa-status:
  9. $ sudo aa-status

  10. Then ensure the audit log file has no AppArmor complaints:
  11. $ sudo cat /var/log/audit/audit.log | sudo REJECTING


aa-status should show at least the following processes in complain mode:



And at least the following processes in enforce mode:





Note that there may be processes in other modes, such as in enforce mode, uncontained, or complain mode. Also note that the confinement status of profiles is irrelevant.

The command above should have no output.