![\"\"](\"https:\/\/shell-mag.com\/wp-content\/uploads\/2018\/11\/zu1-1-300x213.png\")
\u56f31\u3000\u5f37\u5236\u30a2\u30af\u30bb\u30b9\u5236\u5fa1\u306b\u3088\u308b\u5236\u9650<\/p><\/div>\n
\u3053\u306e\u3088\u3046\u306a\u5f37\u5236\u30a2\u30af\u30bb\u30b9\u5236\u5fa1\u3092Linux\u3067\u5b9f\u73fe\u3067\u304d\u308b\u30bd\u30d5\u30c8\u30a6\u30a8\u30a2\u306b\u306f\u3001\u3044\u304f\u3064\u304b\u3042\u308a\u307e\u3059\u3002Ubuntu Server\u3067\u306f\u300cAppArmor\u300d\u3068\u3044\u3046\u30bd\u30d5\u30c8\u30a6\u30a8\u30a2\u304c\u6a19\u6e96\u3067\u5c0e\u5165\u3055\u308c\u3066\u3044\u3066\u3001\u6709\u52b9\u306b\u306a\u3063\u3066\u3044\u307e\u3059\u3002\u3053\u306eAppArmor\u306f\u3001Linux OS\u306e\u6838\u3068\u306a\u308b\u300c\u30ab\u30fc\u30cd\u30eb\u300d\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30d5\u30ec\u30fc\u30e0\u30ef\u30fc\u30af\u300cLinux Security Modules\u300d\uff08LSM\uff09\u3092\u4f7f\u3063\u3066\u5b9f\u88c5\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n
<\/p>\n
\u521d\u671f\u72b6\u614b\u3092\u78ba\u8a8d\u3059\u308b<\/h2>\n
\u307e\u305a\u306f\u3001\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u305f\u76f4\u5f8c\u306eUbuntu Server 16.04 LTS\u3067\u306eAppArmor\u306e\u72b6\u614b\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002\u6b21\u306e\u3088\u3046\u306b\u300caa-status\u300d\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u3066\u304f\u3060\u3055\u3044\u3002\u300c[sudo] taro \u306e\u30d1\u30b9\u30ef\u30fc\u30c9:\u300d\u306e\u3088\u3046\u306b\u8868\u793a\u3055\u308c\u305f\u3089\u3001\u81ea\u5206\u306e\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u5165\u529b\u3057\u307e\u3059\u3002<\/p>\n
$ sudo aa-status\r\n<\/pre>\n\u6b21\u306e\u3088\u3046\u306bAppArmor\u306e\u72b6\u614b\u304c\u8868\u793a\u3055\u308c\u307e\u3059\u3002<\/p>\n
apparmor module is loaded.\r\n13 profiles are loaded.\r\n13 profiles are in enforce mode.\r\n \/sbin\/dhclient\r\n \/usr\/bin\/lxc-start\r\n \/usr\/lib\/NetworkManager\/nm-dhcp-client.action\r\n \/usr\/lib\/NetworkManager\/nm-dhcp-helper\r\n \/usr\/lib\/connman\/scripts\/dhclient-script\r\n \/usr\/lib\/lxd\/lxd-bridge-proxy\r\n \/usr\/lib\/snapd\/snap-confine\r\n \/usr\/lib\/snapd\/snap-confine\/\/mount-namespace-capture-helper\r\n \/usr\/sbin\/tcpdump\r\n lxc-container-default\r\n lxc-container-default-cgns\r\n lxc-container-default-with-mounting\r\n lxc-container-default-with-nesting\r\n0 profiles are in complain mode.\r\n1 processes have profiles defined.\r\n1 processes are in enforce mode.\r\n \/sbin\/dhclient (1007)\r\n0 processes are in complain mode.\r\n0 processes are unconfined but have a profile defined.\r\n<\/pre>\n\u30dd\u30a4\u30f3\u30c8\u3068\u306a\u308b\u90e8\u5206\u306f\u300c13 profiles are loaded.\u300d\u300c13 profiles are in enforce mode.\u300d\u300c0 profiles are in complain mode.\u300d\u300c1 processes are in enforce mode.\u300d\u300c0 processes are in complain mode.\u300d\u306e\u4e94\u3064\u3067\u3059\u3002\u3053\u308c\u3089\u306f\u300113\u500b\u306e\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u304c\u8aad\u307f\u8fbc\u307e\u308c\u3066\u3044\u308b\u3053\u3068\u300113\u500b\u306e\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u304c\u300cenforce\u300d\u30e2\u30fc\u30c9\u306b\u306a\u3063\u3066\u3044\u308b\u3053\u3068\u3001\u300ccomplain\u300d\u30e2\u30fc\u30c9\u306b\u306a\u3063\u3066\u3044\u308b\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u304c\u306a\u3044\u3053\u3068\u3001\u4e00\u3064\u306e\u30d7\u30ed\u30bb\u30b9\u304cenforce\u30e2\u30fc\u30c9\u306b\u306a\u3063\u3066\u3044\u308b\u3053\u3068\u3001complain\u30e2\u30fc\u30c9\u306e\u30d7\u30ed\u30bb\u30b9\u304c\u306a\u3044\u3053\u3068\u3092\u8868\u3057\u3066\u3044\u307e\u3059\u3002\u300c13 profiles are in enforce mode.\u300d\u3068\u300c1 processes are in enforce mode.\u300d\u306e\u4e0b\u306b\u306f\u3001enforce\u30e2\u30fc\u30c9\u306b\u306a\u3063\u3066\u3044\u308b\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u306e\u540d\u79f0\u3084\u30d7\u30ed\u30bb\u30b9\u3092\u8868\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n
\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u306f\u3001AppArmor\u3067\u30a2\u30af\u30bb\u30b9\u5236\u9650\u3092\u304b\u3051\u308b\u305f\u3081\u306e\u5b9a\u7fa9\u30d5\u30a1\u30a4\u30eb\u3067\u3059\u3002\u30d7\u30ed\u30b0\u30e9\u30e0\u3084\u6a5f\u80fd\u3054\u3068\u306b\u7528\u610f\u3055\u308c\u3066\u3044\u3066\u3001\u300c\/etc\/apparmor.d\u300d\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u306e\u4e0b\u306b\u4fdd\u5b58\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u3053\u3067\u306f\u3001\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u306e\u66f8\u304d\u65b9\u3092\u8aac\u660e\u3057\u307e\u305b\u3093\u3002\u8a73\u3057\u304f\u306f\u3053\u3061\u3089\u306e\u30de\u30cb\u30e5\u30a2\u30eb<\/a>\u3092\u8aad\u3093\u3067\u304f\u3060\u3055\u3044\u3002<\/p>\n
enforce\u306f\u3001\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u306b\u66f8\u304b\u308c\u305f\u5b9a\u7fa9\u306b\u9055\u53cd\u3057\u305f\u5834\u5408\u306b\u30a2\u30af\u30bb\u30b9\u304c\u5236\u9650\u3055\u308c\u3001\u8b66\u544a\u304c\u8a18\u9332\u3055\u308c\u308b\u30e2\u30fc\u30c9\u3067\u3059\u3002\u4e00\u65b9\u3001complain\u306f\u3001\u9055\u53cd\u3057\u3066\u3082\u30a2\u30af\u30bb\u30b9\u3092\u5236\u9650\u305b\u305a\u306b\u8b66\u544a\u306e\u307f\u8a18\u9332\u3059\u308b\u30e2\u30fc\u30c9\u3067\u3059\u3002complain\u30e2\u30fc\u30c9\u306f\u3001\u65b0\u3057\u304f\u4f5c\u6210\u3057\u305f\u5b9a\u7fa9\u30d5\u30a1\u30a4\u30eb\u304c\u6b63\u3057\u3044\u304b\u3069\u3046\u304b\u306e\u78ba\u8a8d\u306b\u7528\u3044\u308b\u3068\u3088\u3044\u3067\u3057\u3087\u3046\u3002<\/p>\n
<\/p>\n
\u5f37\u5236\u30a2\u30af\u30bb\u30b9\u5236\u5fa1\u3092\u64cd\u4f5c\u3059\u308b<\/h2>\n
Ubuntu Server 16.04 LTS\u306b\u306f\u3001AppArmor\u306e\u30c4\u30fc\u30eb\u3084\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u304c\u3059\u3079\u3066\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3055\u308c\u3066\u3044\u308b\u308f\u3051\u3067\u3042\u308a\u307e\u305b\u3093\u3002\u6b21\u306e\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u3066\u3001\u3053\u308c\u3089\u3092\u30d1\u30c3\u30b1\u30fc\u30b8\u3067\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u307e\u3059\u3002<\/p>\n
$ sudo apt install apparmor-profiles apparmor-utils<\/pre>\n\/etc\/apparmor.d\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u306e\u4e0b\u306b\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u304c\u8ffd\u52a0\u3055\u308c\u305f\u306e\u3067\u3001enforce\u3084complain\u306e\u30e2\u30fc\u30c9\u306b\u5207\u308a\u66ff\u3048\u3066\u307f\u307e\u3057\u3087\u3046\u3002
\n\u307e\u305a\u306f\u3001aa-status\u30b3\u30de\u30f3\u30c9\u3067\u3001AppArmor\u306e\u72b6\u614b\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002<\/p>\n$ sudo aa-status\r\napparmor module is loaded.\r\n53 profiles are loaded.\r\n16 profiles are in enforce mode.\r\n \/sbin\/dhclient\r\n \/usr\/bin\/lxc-start\r\n \/usr\/lib\/NetworkManager\/nm-dhcp-client.action\r\n \/usr\/lib\/NetworkManager\/nm-dhcp-helper\r\n \/usr\/lib\/chromium-browser\/chromium-browser\/\/browser_java\r\n \/usr\/lib\/chromium-browser\/chromium-browser\/\/browser_openjdk\r\n \/usr\/lib\/chromium-browser\/chromium-browser\/\/sanitized_helper\r\n \/usr\/lib\/connman\/scripts\/dhclient-script\r\n \/usr\/lib\/lxd\/lxd-bridge-proxy\r\n \/usr\/lib\/snapd\/snap-confine\r\n \/usr\/lib\/snapd\/snap-confine\/\/mount-namespace-capture-helper\r\n \/usr\/sbin\/tcpdump\r\n lxc-container-default\r\n lxc-container-default-cgns\r\n lxc-container-default-with-mounting\r\n lxc-container-default-with-nesting\r\n37 profiles are in complain mode.\r\n \/usr\/lib\/chromium-browser\/chromium-browser\r\n \/usr\/lib\/chromium-browser\/chromium-browser\/\/chromium_browser_sandbox\r\n \/usr\/lib\/chromium-browser\/chromium-browser\/\/lsb_release\r\n \/usr\/lib\/chromium-browser\/chromium-browser\/\/xdgsettings\r\n \/usr\/lib\/dovecot\/anvil\r\n \/usr\/lib\/dovecot\/auth\r\n \/usr\/lib\/dovecot\/config\r\n \/usr\/lib\/dovecot\/deliver\r\n \/usr\/lib\/dovecot\/dict\r\n \/usr\/lib\/dovecot\/dovecot-auth\r\n \/usr\/lib\/dovecot\/dovecot-lda\r\n \/usr\/lib\/dovecot\/dovecot-lda\/\/\/usr\/sbin\/sendmail\r\n \/usr\/lib\/dovecot\/imap\r\n \/usr\/lib\/dovecot\/imap-login\r\n \/usr\/lib\/dovecot\/lmtp\r\n \/usr\/lib\/dovecot\/log\r\n \/usr\/lib\/dovecot\/managesieve\r\n \/usr\/lib\/dovecot\/managesieve-login\r\n \/usr\/lib\/dovecot\/pop3\r\n \/usr\/lib\/dovecot\/pop3-login\r\n \/usr\/lib\/dovecot\/ssl-params\r\n \/usr\/sbin\/avahi-daemon\r\n \/usr\/sbin\/dnsmasq\r\n \/usr\/sbin\/dnsmasq\/\/libvirt_leaseshelper\r\n \/usr\/sbin\/dovecot\r\n \/usr\/sbin\/identd\r\n \/usr\/sbin\/mdnsd\r\n \/usr\/sbin\/nmbd\r\n \/usr\/sbin\/nscd\r\n \/usr\/sbin\/smbd\r\n \/usr\/sbin\/smbldap-useradd\r\n \/usr\/sbin\/smbldap-useradd\/\/\/etc\/init.d\/nscd\r\n \/usr\/{sbin\/traceroute,bin\/traceroute.db}\r\n \/{usr\/,}bin\/ping\r\n klogd\r\n syslog-ng\r\n syslogd\r\n1 processes have profiles defined.\r\n1 processes are in enforce mode.\r\n \/sbin\/dhclient (1127)\r\n0 processes are in complain mode.\r\n0 processes are unconfined but have a profile defined.\r\n<\/pre>\n<\/p>\n
enforce\u3084complain\u306e\u30e2\u30fc\u30c9\u306b\u591a\u304f\u306e\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u304c\u8ffd\u52a0\u3055\u308c\u3066\u3044\u307e\u3059\u3002complain\u30e2\u30fc\u30c9\u306e\u4e2d\u306b\u3042\u308b\u300csyslog-ng\u300d\u306e\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u3092\u64cd\u4f5c\u3057\u3066\u307f\u307e\u3059\u3002syslog-ng\u306f\u3001\u300cSyslog-ng\u300d\u3068\u3044\u3046rsyslog\u3068\u540c\u3058\u30ed\u30b0\u53ce\u96c6\u306e\u30bd\u30d5\u30c8\u30a6\u30a8\u30a2\u3067\u3059\u3002Ubuntu Server 16.04 LTS\u306b\u306f\u3001Syslog-ng\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3055\u308c\u3066\u3044\u306a\u3044\u306e\u3067\u3001\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u306e\u30e2\u30fc\u30c9\u3092\u5909\u66f4\u3057\u3066\u3082\u4f55\u3082\u5909\u308f\u308a\u307e\u305b\u3093\u3002<\/p>\n
syslog-ng\u306e\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u3092enforce\u30e2\u30fc\u30c9\u306b\u5909\u66f4\u3057\u307e\u3059\u3002\u6b21\u306e\u3088\u3046\u306b\u3001\u300caa-enforce\u300d\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u3066\u304f\u3060\u3055\u3044\u3002syslog-ng\u306e\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u306f\u3001\u300c\/etc\/apparmor.d\/sbin.syslog-ng\u300d\u3068\u3057\u3066\u7528\u610f\u3055\u308c\u3066\u3044\u308b\u306e\u3067\u3001\u305d\u308c\u3092\u5f15\u6570\u306b\u6307\u5b9a\u3057\u307e\u3059\u3002<\/p>\n
$ sudo aa-enforce \/etc\/apparmor.d\/sbin.syslog-ng\r\n<\/pre>\n\u300cSetting \/etc\/apparmor.d\/sbin.syslog-ng to enforce mode.\u300d\u3068\u8868\u793a\u3055\u3055\u308c\u3070OK\u3067\u3059\u3002aa-status\u30b3\u30de\u30f3\u30c9\u3067\u3001AppArmor\u306e\u72b6\u614b\u3092\u78ba\u8a8d\u3057\u3066\u307f\u308b\u3068\u3001<\/p>\n
$ sudo aa-status\r\napparmor module is loaded.\r\n53 profiles are loaded.\r\n17 profiles are in enforce mode.\r\n\uff08\u7565\uff09\r\n lxc-container-default-with-nesting\r\n syslog-ng\r\n36 profiles are in complain mode.\r\n\uff08\u7565\uff09\r\n klogd\r\n syslogd\r\n1 processes have profiles defined.\r\n1 processes are in enforce mode.\r\n\uff08\u7565\uff09\r\n<\/pre>\n\u306e\u3088\u3046\u306b\u3001syslog-ng\u306e\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u304cenforce\u30e2\u30fc\u30c9\u306b\u306a\u308a\u307e\u3057\u305f\u3002<\/p>\n
\u4eca\u5ea6\u306f\u3001syslog-ng\u306e\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u3092\u7121\u52b9\u3057\u307e\u3059\u3002\u6b21\u306e\u300caa-disable\u300d\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n
$ sudo aa-disable \/etc\/apparmor.d\/sbin.syslog-ng\r\n<\/pre>\n\u300cDisabling \/etc\/apparmor.d\/sbin.syslog-ng.\u300d\u3068\u8868\u793a\u3055\u308c\u308c\u3070OK\u3067\u3059\u3002\u5148\u307b\u3069\u3068\u540c\u3058\u3088\u3046\u306b\u3001aa-status\u30b3\u30de\u30f3\u30c9\u3067AppArmor\u306e\u72b6\u614b\u3092\u8868\u793a\u3057\u3066\u3001syslog-ng\u306e\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u304c\u306a\u304f\u306a\u3063\u3066\u3044\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n
\u6700\u5f8c\u306b\u3001\u300caa-complain\u300d\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u3066complain\u30e2\u30fc\u30c9\u306b\u623b\u3057\u307e\u3059\u3002<\/p>\n
$ sudo aa-complain \/etc\/apparmor.d\/sbin.syslog-ng\r\n<\/pre>\n\u300cSetting \/etc\/apparmor.d\/sbin.syslog-ng to complain mode.\u300d\u304c\u8868\u793a\u3055\u3055\u308c\u3070OK\u3067\u3059\u3002<\/p>\n
<\/p>\n
\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u3092\u81ea\u52d5\u4f5c\u6210\u3059\u308b<\/h2>\n
AppArmor\u3067\u306f\u3001\u30b3\u30de\u30f3\u30c9\u3084\u30d7\u30ed\u30b0\u30e9\u30e0\u306a\u3069\u306e\u52d5\u4f5c\u3092\u5b66\u7fd2\u3059\u308b\u3053\u3068\u3067\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u3092\u81ea\u52d5\u751f\u6210\u3067\u304d\u307e\u3059\u3002\u4f8b\u3068\u306a\u308b\u30b5\u30f3\u30d7\u30eb\u30d7\u30ed\u30b0\u30e9\u30e0\u3068\u3057\u3066\u3001\u30db\u30fc\u30e0\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u5185\u306b\u300ctest1.sh\u300d\u3068\u3044\u3046\u30b7\u30a7\u30eb\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u6b21\u306e\u5185\u5bb9\u3067\u4f5c\u6210\u3057\u307e\u3059\u3002<\/p>\n
#!\/bin\/bash\r\n\r\necho \"Hello!\" >> test.txt<\/pre>\n\u4f5c\u6210\u3057\u305f\u3089\u3001<\/p>\n
$ chmod 755 test1.sh\r\n<\/pre>\n\u3092\u5b9f\u884c\u3057\u3066\u5b9f\u884c\u6a29\u9650\u3092\u4e0e\u3048\u307e\u3059\u3002
\n\u6b21\u306e\u3088\u3046\u306b\u5f15\u6570\u306b\u30b5\u30f3\u30d7\u30eb\u30d7\u30ed\u30b0\u30e9\u30e0\u3092\u7d76\u5bfe\u30d1\u30b9\u3067\u6307\u5b9a\u3057\u3066\u300caa-genprof\u300d\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n$ sudo aa-genprof \/home\/\u30e6\u30fc\u30b6\u30fc\u540d\/test1.sh\r\nWriting updated profile for \/home\/\u30e6\u30fc\u30b6\u30fc\u540d\/test1.sh.\r\nSetting \/home\/\u30e6\u30fc\u30b6\u30fc\u540d\/test1.sh to complain mode.\r\n\r\nBefore you begin, you may wish to check if a\r\nprofile already exists for the application you\r\nwish to confine. See the following wiki page for\r\nmore information:\r\nhttp:\/\/wiki.apparmor.net\/index.php\/Profiles\r\n\r\nPlease start the application to be profiled in\r\nanother window and exercise its functionality now.\r\n\r\nOnce completed, select the \"Scan\" option below in\r\norder to scan the system logs for AppArmor events.\r\n\r\nFor each AppArmor event, you will be given the\r\nopportunity to choose whether the access should be\r\nallowed or denied.\r\n\r\nProfiling: \/home\/\u30e6\u30fc\u30b6\u30fc\u540d\/test1.sh\r\n\r\n[(S)can system log for AppArmor events] \/ (F)inish<\/pre>\n\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u3092\u4f5c\u6210\u3059\u308b\u305f\u3081\u306e\u30d7\u30ed\u30d5\u30a1\u30a4\u30ea\u30f3\u30b0\u3092\u958b\u59cb\u3057\u307e\u3059\u3002<\/p>\n
<\/p>\n
\u5225\u306e\u7aef\u672b\u3092\u7acb\u3061\u4e0a\u3052\u3066\u3001test1.sh\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n
$ ~\/test1.sh\r\n<\/pre>\n\u672c\u6765\u306f\u3001\u3044\u308d\u3044\u308d\u306a\u5834\u5408\u3092\u8003\u3048\u3066\u8907\u6570\u306e\u52d5\u4f5c\u3092\u8a66\u3057\u307e\u3059\u304c\u3001test1.sh\u306f\u30db\u30fc\u30e0\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u5185\u306e\u300ctest.txt\u300d\u30d5\u30a1\u30a4\u30eb\u306b\u300cHello!\u300d\u3092\u8ffd\u8a18\u3059\u308b\u3060\u3051\u306a\u306e\u30671\u30d1\u30bf\u30fc\u30f3\u3067\u69cb\u3044\u307e\u305b\u3093\u3002<\/p>\n
aa-genprof\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u305f\u7aef\u672b\u306b\u623b\u3063\u3066\u3001\uff3bF\uff3d\u30ad\u30fc\u3092\u62bc\u3057\u307e\u3059\u3002\u3053\u308c\u3067\u3001\u3072\u306a\u578b\u3068\u306a\u308b\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u304c\u4f5c\u6210\u3055\u308c\u3001\u4f5c\u6210\u3055\u308c\u305f\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u304cenforce\u30e2\u30fc\u30c9\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n
Setting \/home\/\u30e6\u30fc\u30b6\u30fc\u540d\/test1.sh to enforce mode.\r\n\r\nReloaded AppArmor profiles in enforce mode.\r\n\r\nPlease consider contributing your new profile!\r\nSee the following wiki page for more information:\r\nhttp:\/\/wiki.apparmor.net\/index.php\/Profiles\r\n\r\nFinished generating profile for \/home\/\u30e6\u30fc\u30b6\u30fc\u540d\/test1.sh.<\/pre>\n\u3072\u306a\u578b\u306e\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002\/etc\/apparmor.d\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u5185\u306b\u3001\u30d1\u30b9\u306e\u300c\/\u300d\u3092\u300c.\u300d\u306b\u5909\u66f4\u3057\u305f\u540d\u524d\u306e\u30d5\u30a1\u30a4\u30eb\u3067\u683c\u7d0d\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u300c\/home\/\u30e6\u30fc\u30b6\u30fc\u540d<\/span>\/test1.sh\u300d\u306b\u5bfe\u3059\u308b\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u306f\u300chome.\u30e6\u30fc\u30b6\u30fc\u540d<\/span>.test1.sh\u300d\u306b\u306a\u308a\u307e\u3059\u3002\u300ccat\u300d\u30b3\u30de\u30f3\u30c9\u3067\u4e2d\u8eab\u3092\u78ba\u8a8d\u3057\u3066\u307f\u308b\u3068\u3001<\/p>\n
$ sudo cat \/etc\/apparmor.d\/home.\u30e6\u30fc\u30b6\u30fc\u540d.test1.sh\r\n# Last Modified: Tue Nov 20 13:25:05 2018\r\n#include <tunables\/global>\r\n\r\n\/home\/\u30e6\u30fc\u30b6\u30fc\u540d\/test1.sh {\r\n #include <abstractions\/base>\r\n #include <abstractions\/bash>\r\n\r\n \/bin\/bash ix,\r\n \/home\/\u30e6\u30fc\u30b6\u30fc\u540d\/test1.sh r,\r\n\r\n}\r\n<\/pre>\n\u306b\u306a\u3063\u3066\u3044\u307e\u3059\u3002\u300c#include\u300d\u3067\u59cb\u307e\u308b\u90e8\u5206\u306f\u3001AppArmor\u306e\u30e2\u30b8\u30e5\u30fc\u30eb\u3092\u8aad\u307f\u8fbc\u3093\u3067\u3044\u307e\u3059\u3002\u300c\/home\/\u30e6\u30fc\u30b6\u30fc\u540d\/test1.sh {\u300d\u3068\u300c\uff5d\u300d\u306e\u9593\u306b\u3042\u308b\u3082\u306e\u304ctest1.sh\u306b\u9069\u7528\u3055\u308c\u308b\u5f37\u5236\u30a2\u30af\u30bb\u30b9\u5236\u5fa1\u306b\u95a2\u3059\u308b\u8a2d\u5b9a\u3067\u3059\u3002\u300c\/bin\/bash ix,\u300d\u3067\u306f\u3001Bash\u3092\u8d77\u52d5\u3059\u308b\u300c\/bin\/bash\u300d\u30b3\u30de\u30f3\u30c9\u306e\u5b9f\u884c\u7d99\u627f\uff08ix\uff09\u3092\u8a31\u53ef\u3057\u3066\u3044\u307e\u3059\u3002\u3064\u307e\u308a\u3001Bash\u3067\u8d77\u52d5\u3057\u305f\u30b7\u30a7\u30eb\u306e\u5b50\u30d7\u30ed\u30bb\u30b9\u3068\u3057\u3066test1.sh\u3092\u5b9f\u884c\u3067\u304d\u307e\u3059\u3002\u300c\/home\/\u30e6\u30fc\u30b6\u30fc\u540d\/test1.sh r,\u300d\u3067\u306f\u3001\u300c\/home\/\u30e6\u30fc\u30b6\u30fc\u540d\/test1.sh\u300d\u30d5\u30a1\u30a4\u30eb\u306e\u8aad\u307f\u51fa\u3057\uff08r\uff09\u3092\u8a31\u53ef\u3057\u3066\u3044\u307e\u3059\u3002test1.sh\u3092\u5b9f\u884c\u3059\u308b\u306b\u306f\u3001test1.sh\u306e\u4e2d\u8eab\u3092\u8aad\u3093\u3067\u30b7\u30a7\u30eb\u304c\u30b3\u30de\u30f3\u30c9\u3092\u89e3\u91c8\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n
\u3053\u3053\u3067\u3001test.txt\u30d5\u30a1\u30a4\u30eb\u306b\u5bfe\u3057\u3066\u8aad\u307f\u51fa\u3057\u306e\u307f\u8a31\u53ef\u306b\u3059\u308b\u8a2d\u5b9a\u3092\u6b21\u306e\u3088\u3046\u306b\u8ffd\u52a0\u3057\u307e\u3059\u3002\u8ffd\u52a0\u3057\u305f\u8a2d\u5b9a\u306f\u300c\/home\/\u30e6\u30fc\u30b6\u30fc\u540d\/test.txt r,\u300d\u3067\u3059\u3002<\/p>\n
# Last Modified: Tue Nov 20 13:25:05 2018\r\n#include <tunables\/global>\r\n\r\n\/home\/\u30e6\u30fc\u30b6\u30fc\u540d\/test1.sh {\r\n #include <abstractions\/base>\r\n #include <abstractions\/bash>\r\n\r\n \/bin\/bash ix,\r\n \/home\/\u30e6\u30fc\u30b6\u30fc\u540d\/test1.sh r,\r\n \/home\/\u30e6\u30fc\u30b6\u30fc\u540d\/test.txt r,\r\n\r\n}<\/pre>\n\u30b5\u30f3\u30d7\u30eb\u30d7\u30ed\u30b0\u30e9\u30e0\u3092\u5b9f\u884c\u3057\u3001test.txt\u306e\u66f8\u304d\u8fbc\u307f\u304c\u7981\u6b62\u3055\u308c\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3057\u307e\u3057\u3087\u3046\u3002<\/p>\n
$ .\/test1.sh\r\n.\/test1.sh: \u884c 3: test.txt: \u8a31\u53ef\u304c\u3042\u308a\u307e\u305b\u3093<\/pre>\n\u300c\u8a31\u53ef\u304c\u3042\u308a\u307e\u305b\u3093\u300d\u3068\u3044\u3046\u8868\u793a\u306b\u306a\u3063\u3066test.txt\u30d5\u30a1\u30a4\u30eb\u306b\u66f8\u304d\u8fbc\u3081\u306a\u3044\u3088\u3046\u306b\u306a\u308a\u307e\u3057\u305f\u3002<\/p>\n
\u6700\u5f8c\u306b<\/h2>\n
\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u4e0a\u306b\u516c\u958b\u3057\u3066\u3044\u308b\u30b5\u30fc\u30d0\u30fc\u3067\u306f\u3001\u4e0d\u6b63\u30a2\u30af\u30bb\u30b9\u3084\u4e0d\u6b63\u9032\u5165\u306e\u30bf\u30fc\u30b2\u30c3\u30c8\u306b\u306a\u308b\u3053\u3068\u304c\u591a\u3044\u306e\u3067\u5f37\u5236\u30a2\u30af\u30bb\u30b9\u5236\u5fa1\u306f\u91cd\u8981\u306a\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5bfe\u7b56\u3068\u306a\u3063\u3066\u3044\u307e\u3059\u3002\u3061\u306a\u307f\u306b\u3001CentOS\u3067\u306f\u5225\u306e\u300cSELinux\u300d\u304c\u6a19\u6e96\u3068\u306a\u3063\u3066\u3044\u307e\u3059\u3002
\n\u6b21\u56de\u306f\u3001\u30b5\u30fc\u30d0\u30fc\u306e\u96fb\u6e90\u3092\u5b88\u308b\u300cUPS\u300d\uff08\u7121\u505c\u96fb\u96fb\u6e90\u88c5\u7f6e\uff09\u3092\u6271\u3044\u307e\u3059\u3002<\/p>\nwritten by \u30b7\u30a7\u30eb\u30b9\u30af\u30ea\u30d7\u30c8\u30de\u30ac\u30b8\u30f3\u7de8\u96c6\u90e8\uff08\u3042\uff09<\/p>\n","protected":false},"excerpt":{"rendered":"
\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u3092\u5b88\u308b\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u306e\u4ed5\u7d44\u307f\u3068\u3057\u3066\u300c\u5f37\u5236\u30a2\u30af\u30bb\u30b9\u5236\u5fa1\u300d\uff08Mandatory Access Control\uff09\u304c\u3042\u308a\u307e\u3059\u3002\u5f37\u5236\u30a2\u30af\u30bb\u30b9\u5236\u5fa1\u3067\u306f\u3001\u300c\u30d1\u30fc\u30df\u30c3\u30b7\u30e7\u30f3\u300d\u306a\u3069\u3067\u5b9a\u3081\u3089\u308c\u3066\u3044\u308bOS\u306e\u6a19\u6e96\u7684\u306a\u5236\u9650\u3067\u306f\u306a\u304f\u3001\u30e6\u30fc\u30b6\u30fc\u3084\u5b9f\u884c\u30d7\u30ed\u30b0\u30e9\u30e0\u306b\u5bfe\u3057\u3066\u3088\u308a\u53b3\u3057\u3044\u5236\u9650\u3092\u8a2d\u5b9a\u3067\u304d\u307e\u3059\u3002 \u4f8b\u3048\u3070\u3001\u3042\u308b\u30d7\u30ed\u30b0\u30e9\u30e0\u306b\u5bfe\u3057\u3066\u3001\u53c2\u7167\u3057\u304b\u3057\u306a\u3044\u30d5\u30a1\u30a4\u30eb\u3078\u306e\u66f8\u304d\u8fbc\u307f\u3001\u5229\u7528\u3059\u308b\u306f\u305a\u304c\u306a\u3044\u30d5\u30a1\u30a4\u30eb\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3001\u95a2\u4fc2\u304c\u306a\u3044\u5225\uff3b\u2026\uff3d<\/a><\/p>\n","protected":false},"author":9,"featured_media":3157,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-3156","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-article"],"_links":{"self":[{"href":"https:\/\/shell-mag.com\/wp-json\/wp\/v2\/posts\/3156","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/shell-mag.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shell-mag.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shell-mag.com\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/shell-mag.com\/wp-json\/wp\/v2\/comments?post=3156"}],"version-history":[{"count":12,"href":"https:\/\/shell-mag.com\/wp-json\/wp\/v2\/posts\/3156\/revisions"}],"predecessor-version":[{"id":3188,"href":"https:\/\/shell-mag.com\/wp-json\/wp\/v2\/posts\/3156\/revisions\/3188"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/shell-mag.com\/wp-json\/wp\/v2\/media\/3157"}],"wp:attachment":[{"href":"https:\/\/shell-mag.com\/wp-json\/wp\/v2\/media?parent=3156"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shell-mag.com\/wp-json\/wp\/v2\/categories?post=3156"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shell-mag.com\/wp-json\/wp\/v2\/tags?post=3156"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}