Hi
It’s really painful to add rules to an apparmor profile to a snap
I found to override a rule, you can copy the profile from var/lib/snapd/apparmor/profiles to etc/apparmor.d/snaps.d/ my remaining the name snap. *** to the name of the application
But what make me made, when you complain the overrided profile, I see the violation BUT LOGPROF DON’T SHOW THE VIOLATIONS TO MODIFY THE PROFILE!!!
If you know which rules to add it’s work
BUT HOW TO MAKE LOGPROF SHOW THEM???
THANKS!
apparmor profiles for snaps are generated on the fly at snap install time and re-generated during snap updates from the interface definitions of snapd.
editing them on disk is a rather pointless action unless you are researching how to extend an existing interface and plan to later on submit a merge proposal for this to the snapd source …
the source of the interfaces can be found at:
i dont know what logprof is or how it works, but if you simply use journalctl you should properly see all denials and audit messages from the various confinement technologies involved (apparmor is only a small part anyway)…
if you want more info and suggestions on how to solve a denial you can use the snappy-debug tool from the snappy-debug snap, just run it side by side with your app in a second terminal.
Hi
Here’s what I needed to be able to quickly, for example, modify the Chromium profile in order to debug it with Visual Studio Code. However, the temporary directories of Visual Studio Code webstores were blocked. I am aware of security systems such as sandboxing, selinux, apparmor, firejail… But apparmor is the solution here!
Next, for your information, the command “aa-logprof” belongs to apparmor, allowing direct modification of profiles based on denied accesses, in complain mode.
For example, for Chromium, you need to first copy the Snap profile (/var/lib/snapd/apparmor/profiles/snap.chromium.chromium) to the apparmor profiles in /etc/apparmor.d/ and also in /etc/apparmor.d/snaps.d/, simply renaming it as chromium.
Set both profiles to complain mode:
This one blocks requests, but you can’t use aa-logprof on it; there are no entries in the logs.
sudo aa-complain /etc/apparmor.d/snaps.d/chromium
This one make possible the aa-logprof and modify the rules.
sudo aa-complain /etc/apparmor.d/snap.chromium.chromium
Launch the application and do what needs to be done…
Now, run sudo aa-logprof to manage the requests.
Copy the contents of /etc/apparmor.d/snap.chromium.chromium to /etc/apparmor.d/snaps.d/chromium, then switch everything back to enforcing:
sudo aa-enforce /etc/apparmor.d/snaps.d/chromium
sudo aa-enforce /etc/apparmor.d/snap.chromium.chromium
Restart apparmor:
sudo systemctl restart apparmor.service
And THERE YOU HAVE IT! Many people will benefit from this, and it’s through empirical means that I discovered it! Couldn’t find this answer anywhere, not even from chat GPT and the like
Thanks for the suggestion - it helped when investigating how to modify a Snap AppArmor profile (for Firefox in my case).
One question: what’s the purpose of duplicating the profile under /etc/apparmor.d/snaps.d/ as you suggest? I didn’t do that, and it still works as expected (i.e., I only copied the profile to /etc/apparmor.d/).
