Skip to content

AppArmor.d

Bin

roddhjav/apparmor.d

AppArmor.d

roddhjav/apparmor.d

Home
Home
- Home
  Home
- Getting Started
  Getting Started
- Advanced
  Advanced
- Troubleshooting
  Troubleshooting
  - Known issues
  - System Recovery
Security
Security
- Security
  Security
- Security Model
  Security Model
- Implementation
  Implementation
  - Security Architecture
  - Security Hardening
Development
Development
- Development
  Development
  - Roadmap
- Profiles
  Profiles
  - Workflow
  - Guidelines
  - Internal
  - Directives
  - Dbus
  - Recommendations
- Packages
  Packages
  - Building the profiles
- Tests
  Tests
Abstractions
Abstractions
- Abstractions
  Abstractions
- Layers
  Layers
- System
  System
- Specialized
  Specialized
Linter
Linter
- Linter
  Linter
- Security Checks
  Security Checks
- Compatibility Checks
  Compatibility Checks
  - Abi
  - Bin Bin
    On this page
    
    Problematic rule
    
    Correct rule
    
    Rationale
    
    Exceptions
  - Directory Mark
  - Equivalent
- Style Checks
  Style Checks

`bin` / `sbin`¶

Use of incorrect binary path in rules.

Problematic rule¶

# WRONG
@{bin}/cron Px,

# WRONG
@{sbin}/pass Px,

Correct rule¶

@{sbin}/cron Px,

@{bin}/pass Px,

Rationale¶

To differentiate between system binaries and administrator binaries, apparmor.d uses two separate variables: @{bin} for regular binaries and @{sbin} for system binaries.

The list of known path in /usr/sbin is maintained under the sbin.list file.

Exceptions¶

Some binaries may be installed in both @{bin} and @{sbin} depending on the package it is installed from. For instance, upstream docker package installs dockerd in /usr/bin/ while the distribution package installs it in /usr/sbin/. In such cases, both paths is required.