<computeroutput># </computeroutput><userinput>aa-genprof dhclient </userinput><computeroutput>Writing updated profile for /usr/sbin/dhclient. Setting /usr/sbin/dhclient to complain mode. Before you begin, you may wish to check if a profile already exists for the application you wish to confine. See the following wiki page for more information: https://gitlab.com/apparmor/apparmor/wikis/Profiles Profiling: /usr/sbin/dhclient Please start the application to be profiled in another window and exercise its functionality now. Once completed, select the "Scan" option below in order to scan the system logs for AppArmor events. For each AppArmor event, you will be given the opportunity to choose whether the access should be allowed or denied. [(S)can system log for AppArmor events] / (F)inish <userinput>S</userinput> Reading log entries from /var/log/syslog. Profile:/usr/sbin/dhclient <co id="aa-genprof-execute"></co> Execute:/usr/sbin/dhclient-script Severity: unknown (I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / Abo(r)t / (F)inish <userinput>P</userinput> Should AppArmor sanitise the environment when switching profiles? Sanitising environment is more secure, but some applications depend on the presence of LD_PRELOAD or LD_LIBRARY_PATH. [(Y)es] / (N)o <userinput>Y</userinput> Writing updated profile for /usr/sbin/dhclient-script. Complain-mode changes: Profile:/usr/sbin/dhclient <co id="aa-genprof-capability"></co> Capability: net_raw Severity:8 [1 - capability net_raw,] (A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish <userinput>A</userinput> Adding capability net_raw, to profile. Profile:/usr/sbin/dhclient Capability: net_bind_service Severity:8 [1 - #include <abstractions/nis>] 2 - capability net_bind_service, (A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish <userinput>A</userinput> Adding #include <abstractions/nis> to profile. Profile:/usr/sbin/dhclient <co id="aa-genprof-read"></co> Path:/etc/ssl/openssl.cnf New Mode: owner r Severity: 2 [1 - #include <abstractions/lightdm>] 2 - #include <abstractions/openssl> 3 - #include <abstractions/ssl_keys> 4 - owner /etc/ssl/openssl.cnf r, (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish <userinput>2</userinput> Profile:/usr/sbin/dhclient Path:/etc/ssl/openssl.cnf New Mode: owner r Severity: 2 1 - #include <abstractions/lightdm> [2 - #include <abstractions/openssl>] 3 - #include <abstractions/ssl_keys> 4 - owner /etc/ssl/openssl.cnf r, [(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore <userinput>A</userinput> [...] Profile:/usr/sbin/dhclient-script <co id="aa-genprof-other-profile"></co> Path:/usr/bin/dash New Mode: owner r Severity: unknown 1 - #include <abstractions/gvfs-open> [2 - #include <abstractions/lightdm>] 3 - #include <abstractions/ubuntu-browsers.d/plugins-common> 4 - #include <abstractions/xdg-open> 5 - owner /usr/bin/dash r, (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish <userinput>A</userinput> Adding #include <abstractions/lightdm> to profile. Deleted 2 previous matching profile entries. = Changed Local Profiles = The following local profiles were changed. Would you like to save them? [1 - /usr/sbin/dhclient] 2 - /usr/sbin/dhclient-script (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t <userinput>S</userinput> Writing updated profile for /usr/sbin/dhclient. Writing updated profile for /usr/sbin/dhclient-script. Profiling: /usr/sbin/dhclient Please start the application to be profiled in another window and exercise its functionality now. Once completed, select the "Scan" option below in order to scan the system logs for AppArmor events. For each AppArmor event, you will be given the opportunity to choose whether the access should be allowed or denied. [(S)can system log for AppArmor events] / (F)inish <userinput>F</userinput> Setting /usr/sbin/dhclient to enforce mode. Setting /usr/sbin/dhclient-script to enforce mode. Reloaded AppArmor profiles in enforce mode. Please consider contributing your new profile! See the following wiki page for more information: https://gitlab.com/apparmor/apparmor/wikis/Profiles Finished generating profile for /usr/sbin/dhclient.</computeroutput>
<computeroutput># </computeroutput><userinput>aa-genprof dhclient
</userinput><computeroutput>Writing updated profile for /usr/sbin/dhclient.
Setting /usr/sbin/dhclient to complain mode.
Before you begin, you may wish to check if a
profile already exists for the application you
wish to confine. See the following wiki page for
more information:
https://gitlab.com/apparmor/apparmor/wikis/Profiles
Profiling: /usr/sbin/dhclient
Please start the application to be profiled in
another window and exercise its functionality now.
Once completed, select the "Scan" option below in
order to scan the system logs for AppArmor events.
For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.
[(S)can system log for AppArmor events] / (F)inish
<userinput>S</userinput>
Reading log entries from /var/log/syslog.
Profile: /usr/sbin/dhclient <co id="aa-genprof-execute"></co>
Execute: /usr/sbin/dhclient-script
Severity: unknown
(I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / Abo(r)t / (F)inish
<userinput>P</userinput>
Should AppArmor sanitise the environment when
switching profiles?
Sanitising environment is more secure,
but some applications depend on the presence
of LD_PRELOAD or LD_LIBRARY_PATH.
[(Y)es] / (N)o
<userinput>Y</userinput>
Writing updated profile for /usr/sbin/dhclient-script.
Complain-mode changes:
Profile: /usr/sbin/dhclient <co id="aa-genprof-capability"></co>
Capability: net_raw
Severity: 8
[1 - capability net_raw,]
(A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish
<userinput>A</userinput>
Adding capability net_raw, to profile.
Profile: /usr/sbin/dhclient
Capability: net_bind_service
Severity: 8
[1 - #include <abstractions/nis>]
2 - capability net_bind_service,
(A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish
<userinput>A</userinput>
Adding #include <abstractions/nis> to profile.
Profile: /usr/sbin/dhclient <co id="aa-genprof-read"></co>
Path: /etc/ssl/openssl.cnf
New Mode: owner r
Severity: 2
[1 - #include <abstractions/lightdm>]
2 - #include <abstractions/openssl>
3 - #include <abstractions/ssl_keys>
4 - owner /etc/ssl/openssl.cnf r,
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish
<userinput>2</userinput>
Profile: /usr/sbin/dhclient
Path: /etc/ssl/openssl.cnf
New Mode: owner r
Severity: 2
1 - #include <abstractions/lightdm>
[2 - #include <abstractions/openssl>]
3 - #include <abstractions/ssl_keys>
4 - owner /etc/ssl/openssl.cnf r,
[(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
<userinput>A</userinput>
[...]
Profile: /usr/sbin/dhclient-script <co id="aa-genprof-other-profile"></co>
Path: /usr/bin/dash
New Mode: owner r
Severity: unknown
1 - #include <abstractions/gvfs-open>
[2 - #include <abstractions/lightdm>]
3 - #include <abstractions/ubuntu-browsers.d/plugins-common>
4 - #include <abstractions/xdg-open>
5 - owner /usr/bin/dash r,
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish
<userinput>A</userinput>
Adding #include <abstractions/lightdm> to profile.
Deleted 2 previous matching profile entries.
= Changed Local Profiles =
The following local profiles were changed. Would you like to save them?
[1 - /usr/sbin/dhclient]
2 - /usr/sbin/dhclient-script
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
<userinput>S</userinput>
Writing updated profile for /usr/sbin/dhclient.
Writing updated profile for /usr/sbin/dhclient-script.
Profiling: /usr/sbin/dhclient
Please start the application to be profiled in
another window and exercise its functionality now.
Once completed, select the "Scan" option below in
order to scan the system logs for AppArmor events.
For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.
[(S)can system log for AppArmor events] / (F)inish
<userinput>F</userinput>
Setting /usr/sbin/dhclient to enforce mode.
Setting /usr/sbin/dhclient-script to enforce mode.
Reloaded AppArmor profiles in enforce mode.
Please consider contributing your new profile!
See the following wiki page for more information:
https://gitlab.com/apparmor/apparmor/wikis/Profiles
Finished generating profile for /usr/sbin/dhclient.</computeroutput>