Now that you have familiarized yourself with AppArmor, start selecting the applications for which to build profiles. Programs that need profiling are those that mediate privilege. The following programs have access to resources that the person using the program does not have, so they grant the privilege to the user when used:
Programs that are run periodically by cron. Such programs read input
from a variety of sources and can run with special privileges,
sometimes with as much as root
privilege. For example, cron can
run /usr/sbin/logrotate daily to rotate, compress,
or even mail system logs. For instructions for finding these types of
programs, refer to
Section 1.3, “Immunizing cron Jobs”.
Programs that can be invoked through a Web browser, including CGI Perl scripts, PHP pages, and more complex Web applications. For instructions for finding these types of programs, refer to Section 1.4.1, “Immunizing Web Applications”.
Programs (servers and clients) that have open network ports. User clients, such as mail clients and Web browsers mediate privilege. These programs run with the privilege to write to the user's home directory and they process input from potentially hostile remote sources, such as hostile Web sites and e-mailed malicious code. For instructions for finding these types of programs, refer to Section 1.4.2, “Immunizing Network Agents”.
Conversely, unprivileged programs do not need to be profiled. For instance, a shell script might invoke the cp program to copy a file. Because cp does not have its own profile, it inherits the profile of the parent shell script, so can copy any files that the parent shell script's profile can read and write.