AppArmor : प्रोफ़ाइल बनाएं : aa-genprof2024/06/18

root@dlp:~# cat > /usr/local/bin/nodejs_test.js <<'EOF' 
var http = require('http');
var server = http.createServer(function(req, res) {
  res.write("Hello, This is the Node.js Simple Web Server!\n");
  res.end();
}).listen(8080);
EOF 

Updating AppArmor profiles in /etc/apparmor.d.
Writing updated profile for /usr/bin/node.
Setting /usr/bin/node to complain mode.

Before you begin, you may wish to check if a
profile already exists for the application you
wish to confine. See the following wiki page for
more information:
https://gitlab.com/apparmor/apparmor/wikis/Profiles

Profiling: /usr/bin/node

Please start the application to be profiled in
another window and exercise its functionality now.

Once completed, select the "Scan" option below in
order to scan the system logs for AppArmor events.

For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.

[(S)can system log for AppArmor events] / (F)inish
# स्टडआउट यहीं रुकता है
# इसे किसी अन्य टर्मिनल पर लक्ष्य एप्लिकेशन के लिए सभी आवश्यक संचालन संचालित करने की आवश्यकता है
# लॉगफ़ाइल में आवश्यक संचालन लॉग करने के लिए,
# सभी आवश्यक ऑपरेशन समाप्त करने के बाद, समाप्त करने के लिए [f(F)] कुंजी दबाएँ,
# फिर [aa-genprof] समाप्त होता है

Setting /usr/bin/node to enforce mode.

Reloaded AppArmor profiles in enforce mode.

Please consider contributing your new profile!
See the following wiki page for more information:
https://gitlab.com/apparmor/apparmor/wikis/Profiles

Finished generating profile for /usr/bin/node.

apparmor module is loaded.
113 profiles are loaded.
24 profiles are in enforce mode.
   /usr/bin/man
   /usr/bin/node
.....
.....

# Last Modified: Tue Jun 18 00:57:50 2024
abi <abi/3.0>,

include <tunables/global>

/usr/bin/node {
  include <abstractions/base>

  /usr/bin/node mr,

}

Cannot load externalized builtin: "internal/deps/cjs-module-lexer/lexer:/usr/share/nodejs/cjs-module-lexer/lexer.js".
.....

Updating AppArmor profiles in /etc/apparmor.d.
Reading log entries from /var/log/syslog.
Complain-mode changes:

Profile:    /usr/bin/node
Capability: ipc_lock
Severity:   8

 [1 - include <abstractions/nvidia>]
  2 - capability ipc_lock,
# अनधिकृत कार्रवाई के लिए नीति निर्धारित करेंn
(A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish
Adding include <abstractions/nvidia> to profile.

Profile:    /usr/bin/node
Capability: sys_admin
Severity:   10

 [1 - capability sys_admin,]
(A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish
Adding capability sys_admin, to profile.

.....
.....

= Changed Local Profiles =

The following local profiles were changed. Would you like to save them?

 [1 - /usr/bin/node]
# अंत में, अपने परिवर्तन सहेजें
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t

# Last Modified: Tue Jun 18 01:16:37 2024
abi <abi/3.0>,

include <tunables/global>

/usr/bin/node {
  include <abstractions/apache2-common>
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nvidia>

  capability dac_override,
  capability sys_admin,

  /usr/bin/node mr,
  owner /proc/*/cgroup r,
  owner /proc/version_signature r,
  owner /sys/fs/cgroup/user.slice/user-0.slice/session-1.scope/memory.high r,
  owner /sys/fs/cgroup/user.slice/user-0.slice/session-1.scope/memory.max r,
  owner /sys/fs/cgroup/user.slice/user-1000.slice/session-8.scope/memory.high r,
  owner /sys/fs/cgroup/user.slice/user-1000.slice/session-8.scope/memory.max r,
  owner /usr/local/bin/nodejs_test.js r,
  owner /usr/share/nodejs/acorn-walk/dist/walk.js r,
  owner /usr/share/nodejs/acorn/dist/acorn.js r,
  owner /usr/share/nodejs/cjs-module-lexer/dist/lexer.js r,
  owner /usr/share/nodejs/cjs-module-lexer/lexer.js r,
  owner /usr/share/nodejs/undici/undici-fetch.js r,

}