apparmor-session-lockdown-no-deny manual


Image Types:
basesdk-amd64 / minimal-armhf-internal / minimal-armhf / minimal-arm64 / minimal-amd64 / sdk-amd64 / target-armhf-internal / target-amd64
Image Deployment:


Test that the session lockdown profile is not blocking more than it should.

Pre Conditions

  1. Ensure Rootfs is remounted as read/write.
  2. $ sudo mount -o remount,rw /

  3. Install dependencies
  4. $ sudo apt install apertis-tests-apparmor-report apparmor-utils aa-status

  5. Restart the system to restore the filesystem state to read-only before running the test.
  6. $ sudo reboot

Execution Steps

  1. Ensure pulseaudio is running:
  2. $ pactl stat

  3. No need to check the output of the command.
  4. Now ensure AppArmor is enabled and working, by running aa-status:
  5. $ sudo aa-status

  6. Then ensure the audit log file has no AppArmor complaints:
  7. $ sudo journalctl -b -t audit -o cat | ./ DENIED


aa-status should show at least the following processes in complain mode:



And at least the following processes in enforce mode:





Note that there may be processes in other modes, such as in enforce mode, uncontained, or complain mode. Also note that the confinement status of profiles is irrelevant.

The command above should have no output.