mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 00:14:44 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
Page: Integrating Test plan
Pages
2.12.4_Signatures 2.13.10_Signatures 2.13.11_Signatures 2.13.3_signature 2.13.4_signature 2.13.7_Signatures 2.13.8_Signatures 2.13.9_Signatures 3.0.10_Signatures 3.0.11_Signatures 3.0.12_Signatures 3.0.13_Signatures 3.0.8_Signatures 3.0.9_Signatures 3.1.1_Signatures 3.1.2_Signatures 3.1.3_Signatures 3.1.4_Signatures 3.1.5_Signatures 3.1.6_Signatures 3.1.7_Signatures 4.0.0 alpha2_Signatures 4.0.0 alpha3_Signatures 4.0.0 beta4_Signatures 4.0.1_Signatures 4.0.2_Signatures 4.0.3_Signatures 4.1.0 beta1_Signatures 4.1.0 beta4_Signatures About AbstractionsGuide AlternativeMethodsforSystemWideRestrictions AppArmor and Kubernetes AppArmor2FeatureABI AppArmorAPIs AppArmorAuditing AppArmorClassNumbers AppArmorDBus AppArmorDelegation AppArmorDynamicIncludes AppArmorFeatureABI AppArmorFeatureABIinteractions AppArmorGSettings AppArmorInSystemd AppArmorInterfaces AppArmorJournald AppArmorLabelsandTypes AppArmorLinuxNamespaces AppArmorLog AppArmorMLS AppArmorMonitoring AppArmorNamespaces AppArmorObjectDelegation AppArmorPolicy AppArmorPolicyScope AppArmorPolicyTOC AppArmorPolicyView AppArmorPortals AppArmorProfileSpec AppArmorProgramaticApplicationPolicy AppArmorRBAC AppArmorSandboxing AppArmorSnappyDesktop AppArmorStacking AppArmorSystemWideRestrictions AppArmorTrustedHelpers AppArmorUpdateGuidelines AppArmorUserDefinedPolicy AppArmorWine AppArmorXace AppArmor_Core_Policy_Reference AppArmor_Failures AppArmor_History AppArmor_Model AppArmor_Presentations AppArmor_versions AppArmor_versions_2.1 AppArmor_versions_2.10 AppArmor_versions_2.11 AppArmor_versions_2.12 AppArmor_versions_2.13 AppArmor_versions_2.3 AppArmor_versions_2.4 AppArmor_versions_2.5 AppArmor_versions_2.6 AppArmor_versions_2.7 AppArmor_versions_2.8 AppArmor_versions_2.9 AppArmor_versions_3.0 AppArmor_versions_3.1 AppArmor_versions_4.0 AppArmor_versions_4.1 AppArmorpolicyfeaturesDev AppArmorpolicyversioning Apparmor_parser Apparmorbinarypolicy Apparmorearlypolicy Apparmorinitrd Apparmorpolicycache Apparmorpolicymanagement Apparmorpolicymanagement2x Binary_Profile_Language Binary_profile_format BugTracking Coding Style CollaborativeProfileDevSpec CombiningStackingAndNamespaces CommitPolicy CompilerImprovements Complain Mode Confining_all_tasks Controlling_Profile_State CreatingPolicy DeprecateProfilePathName DevelopmentRoadmap Distro_CentOS Distro_debian Distro_suse Distro_ubuntu Documentation EnvironmentVariables ExampleProfiles Extended_profiling_example FAQ Firejail FullSystemPolicy GettingStarted Gittutorial IRC_meeting_2010 IRC_meeting_2011 IRC_meeting_2012 09 25 IRC_meeting_2012 11 06 IRC_meeting_2012 12 04 IRC_meeting_2012 IRC_meeting_2013 01 08 IRC_meeting_2013 02 05 IRC_meeting_2013 03 01 IRC_meeting_2013 05 14 IRC_meeting_2013 06 11 IRC_meeting_2013 07 09 IRC_meeting_2013 08 13 IRC_meeting_2013 10 08 IRC_meeting_2013 11 13 IRC_meeting_2013 IRC_meeting_2014 02 24 IRC_meeting_2014 06 10 IRC_meeting_2014 07 08 IRC_meeting_2014 09 09 IRC_meeting_2014 10 14 IRC_meeting_2014 11 05 IRC_meeting_2014 12 09 IRC_meeting_2014 IRC_meeting_2015 02 10 IRC_meeting_2015 03 10 IRC_meeting_2015 04 14 IRC_meeting_2015 05 12 IRC_meeting_2015 06 09 IRC_meeting_2015 07 14 IRC_meeting_2015 11 17 IRC_meeting_2015 IRC_meeting_2016 01 19 IRC_meeting_2016 09 13 IRC_meeting_2016 IRC_meeting_2017 10 10 IRC_meeting_2017 11 25 IRC_meeting_2017 12 13 IRC_meeting_2017 IRC_meeting_2018 01 16 IRC_meeting_2018 02 15 IRC_meeting_2018 12 11 IRC_meeting_2018 IRC_meeting_2019 04 09 IRC_meeting_2019 06 13 IRC_meeting_2019 10 08 IRC_meeting_2019 IRC_meeting_2020 01 14 IRC_meeting_2020 02 11 IRC_meeting_2020 02 12 IRC_meeting_2020 03 10 IRC_meeting_2020 04 10 IRC_meeting_2020 04 28 IRC_meeting_2020 06 09 IRC_meeting_2020 09 08 IRC_meeting_2020 10 13 IRC_meeting_2020 IRC_meeting_2021 07 13 IRC_meeting_2021 11 09 IRC_meeting_2021 12 14 IRC_meeting_2022 02 08 IRC_meeting_2022 08 09 IRC_meeting_2022 10 11 IRC_meeting_2022 11 08 IRC_meeting_2022 12 13 IRC_meeting_2022 4 12 IRC_meeting_2022 7 12 IRC_meeting_2023 02 14 IRC_meeting_2023 06 13 IRC_meeting_2023 08 08 IRC_meeting_2023 09 12 IRC_meeting_2023 10 10 IRC_meeting_2024 01 09 IRC_meeting_2024 04 09 IRC_meeting_2024 06 11 IRC_meeting_2024 08 13 IRC_meeting_2024 09 10 IRC_meeting_2024 10 08 IRC_meeting_2024 11 12 IRC_meeting_2025 01 14 IRC_meeting_2025 02 18 Integrating Test plan Kernel_Feature_Matrix Kernel_interfaces Launchpadtutorial Libvirt ManPages MeetingAgenda Mod_apparmor Mod_apparmor_example Multi Category Security (MCS) Pam_apparmor Pam_apparmor_example PerformanceImprovements Policy_Layout ProfileLanguage Profile_repo Profile_variants Profiles Profiling_by_hand Profiling_with_tools QuickProfileLanguage RBAC_2_0 RBAC_2_1 RBAC_2_3 RBAC_2_5 README Raising_Task_Capabilities ReleaseProcess Release_Notes_2.10.1 Release_Notes_2.10.2 Release_Notes_2.10.3 Release_Notes_2.10.4 Release_Notes_2.10.5 Release_Notes_2.10.6 Release_Notes_2.10 Release_Notes_2.11.1 Release_Notes_2.11.2 Release_Notes_2.11.3 Release_Notes_2.11.4 Release_Notes_2.11 Release_Notes_2.12.0 Release_Notes_2.12.1 Release_Notes_2.12.2 Release_Notes_2.12.3 Release_Notes_2.12.4 Release_Notes_2.12 Release_Notes_2.13.1 Release_Notes_2.13.10 Release_Notes_2.13.11 Release_Notes_2.13.2 Release_Notes_2.13.3 Release_Notes_2.13.4 Release_Notes_2.13.5 Release_Notes_2.13.6 Release_Notes_2.13.7 Release_Notes_2.13.8 Release_Notes_2.13.9 Release_Notes_2.13 Release_Notes_2.14 Release_Notes_2.4 Release_Notes_2.5.1 Release_Notes_2.5.2 Release_Notes_2.5 Release_Notes_2.6.0 Release_Notes_2.6.1 Release_Notes_2.7.1 Release_Notes_2.7.2 Release_Notes_2.7 Release_Notes_2.8.1 Release_Notes_2.8.2 Release_Notes_2.8.3 Release_Notes_2.8.4 Release_Notes_2.8.5 Release_Notes_2.8 Release_Notes_2.9.0 Release_Notes_2.9.1 Release_Notes_2.9.2 Release_Notes_2.9.3 Release_Notes_2.9.4 Release_Notes_2.9.5 Release_Notes_3.0.1 Release_Notes_3.0.10 Release_Notes_3.0.11 Release_Notes_3.0.12 Release_Notes_3.0.13 Release_Notes_3.0.2 Release_Notes_3.0.3 Release_Notes_3.0.4 Release_Notes_3.0.5 Release_Notes_3.0.6 Release_Notes_3.0.7 Release_Notes_3.0.8 Release_Notes_3.0.9 Release_Notes_3.0 Release_Notes_3.1.1 Release_Notes_3.1.2 Release_Notes_3.1.3 Release_Notes_3.1.4 Release_Notes_3.1.5 Release_Notes_3.1.6 Release_Notes_3.1.7 Release_Notes_3.1 Release_Notes_4.0 alpha1 Release_Notes_4.0 alpha2 Release_Notes_4.0 alpha3 Release_Notes_4.0 alpha4 Release_Notes_4.0 beta1 Release_Notes_4.0 beta2 Release_Notes_4.0 beta3 Release_Notes_4.0 beta4 Release_Notes_4.0.1 Release_Notes_4.0.2 Release_Notes_4.0.3 Release_Notes_4.0.4 Release_Notes_4.1 beta1 Release_Notes_4.1 beta2 Release_Notes_4.1 beta3 Release_Notes_4.1 beta4 Release_Notes_4.1 beta5 Release_Notes_4.1 beta6 Release_Notes_4.1.0 beta1 Release_Notes_5.0 Revising_and_fine_tuning_policy_and_abstractions Sandstorm StackingConfiningUsers TechnicalDoc TechnicalDoc_DBusRuleEncoding TechnicalDoc_DFA TechnicalDoc_FileRuleEncoding TechnicalDoc_HFA TechnicalDoc_HFA_Layout TechnicalDoc_HFA_permissions TechnicalDoc_Kernel TechnicalDoc_MountRuleEncoding TechnicalDoc_Mount_Flags TechnicalDoc_NetworkRuleEncoding TechnicalDoc_PolicyDB TechnicalDoc_Policy_Layout TechnicalDoc_Proc_and_ptrace TechnicalDoc_RulePathEncoding TechnicalDoc_XWindowsRuleEncoding Translations Unconfined, the unconfined flag and default allow Userconditional Users in AppArmor Userspace_Feature_Matrix Versioning WorkItems _sidebar aparmor_policy_development_guide apparmor 5 config layout spec apparmor_compiler_development_guide apparmor_kernel_development_guide apparmor_kernel_development_guide_notifications apparmor_library_development_guide apparmor_profile_tools_guide apparmordynamicpolicy apparmorpolicyfeaturesABI apparmorversioning bubblewrap clearcontainers containers docker flatpak gVisor home how to setup a policy namespace for containers io_uring rules kata containers kubernetes manpage_aa audit.8 manpage_aa autodep.8 manpage_aa cleanprof.8 manpage_aa complain.8 manpage_aa decode.8 manpage_aa disable.8 manpage_aa easyprof.8 manpage_aa enabled.1 manpage_aa enforce.8 manpage_aa exec.1 manpage_aa features abi.1 manpage_aa genprof.8 manpage_aa logprof.8 manpage_aa mergeprof.8 manpage_aa notify.8 manpage_aa remove unknown.8 manpage_aa status.8 manpage_aa teardown.8 manpage_aa unconfined.8 manpage_aa_change_hat.2 manpage_aa_change_profile.2 manpage_aa_features.3 manpage_aa_find_mountpoint.2 manpage_aa_getcon.2 manpage_aa_kernel_interface.3 manpage_aa_policy_cache.3 manpage_aa_query_label.2 manpage_aa_splitcon.3 manpage_aa_stack_profile.2 manpage_apparmor.7 manpage_apparmor.d.5 manpage_apparmor_parser.8 manpage_apparmor_parser manpage_apparmor_xattrs.7 manpage_logprof.conf.5 manpage_mod_apparmor.8 mqueue rules nabla containers no_new_privs profileflags prompt v3 interface rule operations rule prefixes and modes runV runc sanitized_helper security@apparmor template reply unprivileged_unconfined_restriction unprivileged_userns_restriction wip conditional policy
5 Integrating Test plan
John Johansen edited this page 2020-09-03 10:14:21 +00:00
Table of Contents

WARNING: this document is a wip

Introduction

The following guide is to help users and distros setup integrate and test AppArmor. The test plan has its origins in the integration test plan that Ubuntu uses before merging a new version of AppArmor into their distribution.

The test plan is broken into sections, each dealing with a component or interaction that can have interaction with apparmor that may need testing. Unlike the Ubuntu test plan reference Ubuntu specific packaging this guide use the upstream build system, as a generic base. Distros are welcome to edit and or send patches to add Distro specific information or references to their own documentation.

Sections

TODO split apart update/rewrite everything below

Test Plan Common tests APPARMOR Have an up to date Ubuntu Desktop and/or Server VM Install freshly built packages that are needed for landing and reboot Eg: devel: copy_sppa_to_repos --arch=i386,amd64 --include-devel --ppa=ubuntu-security-proposed/ppa apparmor

Verify the system comes up and has networking (dhclient profile) Verify the output of aa-status. It should report:

many profiles loaded (eg, 20 or more) many profiles in enforce mode (eg, 20 or more) 0 profiles in complain mode (unless libreoffice-common, apparmor-profiles, or some other special package is installed) some process should have a profile defined some process should be in enforce mode (the same number as '4', above) 0 processes in complain mode (unless libreoffice-common, apparmor-profiles, or some other special package is installed) 0 processes are unconfined but have a profile defined Verify cache files have no errors 18.10 and lower:

$ for i in /etc/apparmor.d/cache /var/cache/apparmor ; do echo "= $i =" ; for j in $i/* ; do echo -n "$j: " ; sudo apparmor_parser -B -r $j && echo pass || echo FAIL ; done ; done | grep FAIL 19.04 and higher:

$ export AACACHEDIR=$(sudo apparmor_parser --print-cache-dir) $ for i in $(sudo ls -1 "$AACACHEDIR") ; do echo -n "$i: " ; sudo apparmor_parser -B -r "$AACACHEDIR/$i" && echo pass || echo FAIL ; done | grep FAIL Verified the cache is used 18.10 and lower:

$ sudo rm -rf /etc/apparmor.d/cache/* $ sudo /sbin/apparmor_parser --remove /etc/apparmor.d $ sudo /sbin/apparmor_parser --write-cache --add /etc/apparmor.d $ ls /etc/apparmor.d/cache sbin.dhclient usr.lib.libreoffice.program.xpdfimport usr.bin.evince usr.lib.snapd.snap-confine.real ... $ sudo /sbin/apparmor_parser --remove /etc/apparmor.d $ sudo /sbin/apparmor_parser -k --write-cache --add /etc/apparmor.d 2>&1 | grep -i miss # should be no misses $ 19.04 and higher:

$ sudo rm -rf /var/cache/apparmor/* $ sudo /sbin/apparmor_parser --remove /etc/apparmor.d $ sudo /sbin/apparmor_parser --write-cache --add /etc/apparmor.d $ sudo ls /var/cache/apparmor/* nvidia_modprobe usr.bin.evince usr.lib.snapd.snap-confine.real usr.sbin.cupsd sbin.dhclient usr.bin.man usr.sbin.cups-browsed usr.sbin.ippusbxd $ sudo /sbin/apparmor_parser --remove /etc/apparmor.d $ sudo /sbin/apparmor_parser -k --write-cache --add /etc/apparmor.d 2>&1 | grep -i miss # should be no misses $ INTEGRATION Verify Ubuntu Desktop and/or Server works by performing basic login testing - eg, verify networking, verify browser launches, verify apt-get works

QRT Run QRT/scripts/test-apparmor.py on Ubuntu Desktop/Server (Note: in the exceptional case when there are temporary new expected failures, be sure to update test-apparmor.py for these to not block kernel team processes):

$ git clone https://git.launchpad.net/qa-regression-testing $ cd qa-regression-testing $ ./scripts/make-test-tarball ./scripts/test-apparmor.py

To run, copy /tmp/qrt-test-apparmor.tar.gz to the target system, then do:

$ tar -zxf qrt-test-apparmor.tar.gz $ cd ./qrt-test-apparmor $ sudo ./install-packages test-apparmor.py $ sudo ./test-apparmor.py -v LXC Verify lxc container starts with new AppArmor on Ubuntu Desktop/Server:

~$ sudo apt-get install lxc lxc-templates ~$ sudo lxc-create -t ubuntu -n CN # or: sudo MIRROR=http:///ubuntu lxc-create ... ~$ sudo lxc-start -n CN # later versions (eg 15.04) may not start in a console ... Ubuntu Trusty Tahr (development branch) CN console

CN login: ubuntu Password: ... Run a few external commands:

$ sudo lxc-ls CN $ sudo lxc-info --name CN Name: CN State: RUNNING PID: 24354 IP: 10.0.3.153 CPU use: 1.80 seconds BlkIO use: 12.18 MiB Memory use: 20.58 MiB KMem use: 0 bytes Link: vethYD8QMX TX bytes: 2.90 KiB RX bytes: 6.77 KiB Total bytes: 9.67 KiB $ sudo lxc-console --name CN Connected to tty 1 Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself

Ubuntu Utopic Unicorn (development branch) CN tty1

CN login: ... $ sudo lxc-attach --name CN uptime 22:29:49 up 1:10, 1 user, load average: 0.06, 0.31, 0.58 Verify apparmor profiles are in use:

$ sudo aa-status | grep ') lxc' /usr/sbin/agetty (871) lxc-container-default-cgns /usr/lib/systemd/systemd (32182) lxc-container-default-cgns ... When done, shut it down with (outside the container (tests lxc-start still works to control the container)):

$ sudo lxc-stop -k -n CN Verify apparmor profiles are no longer in use:

$ sudo aa-status | grep ') lxc' $ And, finally, destroy it:

$ sudo lxc-destroy -n CN LXD Verify lxd container starts with new AppArmor on Ubuntu Desktop/Server:

deb (deprecated on 18.10 and higher):

$ sudo apt-get install lxd $ newgrp lxd snap:

$ sudo apt-get remove --purge lxd lxc $ sudo snap install lxd $ sudo adduser id -un lxd $ newgrp lxd $ sudo lxd init # use defaults Once lxd is installed:

$ . /etc/profile.d/apps-bin-path.sh # in case /snap/bin is not in your PATH $ lxc image list images: ... | | 0d4bfe75bd0d | yes | Ubuntu trusty (amd64) (20160321_03:49) | x86_64 | 75.60MB | Mar 21, 2016 at 4:19am (UTC) | ...

$ lxc launch ubuntu: ubuntu-64 ... Creating ubuntu-64 Retrieving image: 100% Starting ubuntu-64

$ lxc list +-----------+---------+-------------------+------+------------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +-----------+---------+-------------------+------+------------+-----------+ | ubuntu-64 | RUNNING | 10.0.3.181 (eth0) | | PERSISTENT | 0 | +-----------+---------+-------------------+------+------------+-----------+

$ lxc info ubuntu-64 Name: ubuntu-64 Architecture: i686 Created: 2016/03/22 17:55 UTC Status: Running Type: persistent Profiles: default Pid: 2612 Processes: 8 Ips: eth0: inet 10.0.3.181 vethIKDBKR eth0: inet6 fe80::216:3eff:fe88:59b7 vethIKDBKR lo: inet 127.0.0.1 lo: inet6 ::1

$ sudo aa-status | grep ') lxd-ubuntu-64' /usr/lib/systemd/systemd (14348) lxd-ubuntu-64_</var/snap/lxd/common/lxd>//&:lxd-ubuntu-64_:unconfined /usr/lib/systemd/systemd-journald (14464) lxd-ubuntu-64_</var/snap/lxd/common/lxd>//&:lxd-ubuntu-64_:unconfined

$ lxc exec ubuntu-64 /bin/bash root@ubuntu-64:# ls root@ubuntu-64:# uptime 17:58:40 up 3 min, 0 users, load average: 0.01, 0.06, 0.05 root@ubuntu-64:# aa-status # AppArmor stacking works apparmor module is loaded. 15 profiles are loaded. 15 profiles are in enforce mode. /sbin/dhclient /usr/bin/lxc-start ... root@ubuntu-64:# exit

$ lxc exec ubuntu-64 ps PID TTY TIME CMD 1552 ? 00:00:00 ps

pull/push files

$ lxc file pull ubuntu-64/etc/hostname . $ lxc file push hostname ubuntu-64/tmp/hostname $ lxc exec ubuntu-64 -- cat /tmp/hostname ubuntu-64

$ lxc stop ubuntu-64

$ sudo aa-status | grep ') lxd-ubuntu-64' # profiles unloaded $

$ lxc delete ubuntu-64 LIBVIRT Install libvirt and ensure that the libvirtd group is part of the current session:

$ sudo apt-get install libvirt-bin # libvirt-daemon on more recent Ubuntu releases $ newgrp libvirtd Follow setup instructions in $QRT/notes_testing/libvirt/README Verify qemu/kvm libvirt VMs start under confinement (verify with sudo aa-status) with new AppArmor on Ubuntu Desktop/Server by using QRT/scripts/test-libvirt.py (note: there are some failures unrelated to apparmor, so do a baseline run before upgrading to compare)

Verify libvirt-lxc VMs start with new AppArmor on Ubuntu Desktop/Server by following SergeHallyn_libvirtlxc

IMPORTANT: The instructions linked to above will not work until bug #1445611 is fixed.

DOCKER Verify docker.io (need at least 1.2) containers with new AppArmor on Ubuntu Desktop/Server:

$ sudo apt-get install docker.io # should not have libvirt or lxc co-installed

$ sudo docker pull ubuntu:bionic ... 6e1bee0f8701: Pull complete Digest: sha256:d019bdb3ad5af96fa1541f9465f070394c0daf0ffd692646983f491ce077b70f Status: Downloaded newer image for ubuntu:bionic

$ sudo docker images REPOSITORY TAG IMAGE ID CREATED SIZE ubuntu bionic 94e814e2efa8 44 hours ago 88.9MB

$ sudo docker run ubuntu:bionic uptime 20:31:21 up 1 min, 0 users, load average: 0.09, 0.06, 0.03 ...

$ sudo aa-status|grep docker docker-default

$ sudo docker run -i -t ubuntu:bionic /bin/sh

ps

PID TTY TIME CMD 1 ? 00:00:00 sh 7 ? 00:00:00 ps At this point, an interactive shell is running in the terminal. In another, try a couple of operations:

$ sudo aa-status|grep docker docker-default /usr/bin/dash (24201) docker-default

$ sudo docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 3acc3d52bca2 ubuntu:bionic "/bin/sh" 43 seconds ago Up 42 seconds nostalgic_ramanujan

$ ps -Z 24201 LABEL PID TTY STAT TIME COMMAND docker-default (enforce) 24201 pts/0 Ss+ 0:00 /bin/sh

$ sudo docker inspect 3acc3d52bca2 [ { "Id": "3acc3d52bca28aa40da695781bb7a1195c3c4d5d821c350e272f4ed9d8582271", "Created": "2019-03-13T20:10:33.671935431Z", "Path": "/bin/sh", "Args": [], "State": { "Status": "running", ... In the terminal running 'sh', now exit:

exit

$ sudo docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

$ sudo aa-status|grep docker docker-default SNAPD Verify snappy works ok:

$ sudo apt-get install snapd $ sudo snap install hello-world

$ sudo aa-status | grep snap /snap/core/6623/usr/lib/snapd/snap-confine /snap/core/6623/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/lib/snapd/snap-confine /usr/lib/snapd/snap-confine//mount-namespace-capture-helper snap-update-ns.core snap-update-ns.hello-world snap.core.hook.configure snap.hello-world.env snap.hello-world.evil snap.hello-world.hello-world snap.hello-world.sh

$ . /etc/profile.d/apps-bin-path.sh # in case /snap/bin is not in your PATH $ hello-world.evil Hello Evil World! This example demonstrates the app confinement You should see a permission denied error next /snaps/hello-world.canonical/6.0/bin/evil: 9: /snaps/hello-world.canonical/6.0/bin/evil: cannot create /var/tmp/myevil.txt: Permission denied

$ hello-world.sh Launching a shell inside the default app confinement. Navigate to your app-specific directories with:

$ cd $SNAP $ cd $SNAP_DATA $ cd $SNAP_USER_DATA

bash-4.3$ cat /etc/fstab cat: /etc/fstab: Permission denied bash-4.3$ exit

$ sudo snap install snappy-debug $ snappy-debug.scanlog --only-snap=hello-world = AppArmor = Time: Mar 13 15:17:16 Log: apparmor="DENIED" operation="mknod" profile="snap.hello-world.evil" name="/var/tmp/myevil.txt" pid=28941 comm="evil" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 File: /var/tmp/myevil.txt (write)

= AppArmor = Time: Mar 13 15:17:42 Log: apparmor="DENIED" operation="open" profile="snap.hello-world.sh" name="/etc/fstab" pid=29215 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 File: /etc/fstab (read)

$ sudo snap remove hello-world

$ sudo ls /var/cache/apparmor/* | grep hello-world # cache files are removed $ Desktop only DBUS Run QRT/scripts/test-dbus.py on Ubuntu Desktop:

$ ./scripts/make-test-tarball ./scripts/test-dbus.py

To run, copy /tmp/qrt-test-dbus.tar.gz to the target system, then log in through a graphical session and do:

$ tar -zxf qrt-test-dbus.tar.gz $ cd ./qrt-test-dbus $ sudo ./install-packages test-dbus.py $ sudo ./test-dbus.py -v

References