In a previous blog post I explained how to create an AppArmor profile for a specific binary. However it is also possible to make a profile which is not linked to a specific executable, but you can load the profile in any systemd service. This is for example useful for services which share the same binary and only differ in the arguments you give on the command line. This can be useful for applications you start with uvicorn, or interpreted languages like Lisp or Rscript.
I assume you already have a systemd service file called myservice.service. In order to protect this service, create /etc/apparmor.d/myservice:
abi <abi/3.0>,
include <tunables/global>
profile myservice flags=(complain) {
include <abstractions/base>
}You see that I don’t use the path for a binary, but chose an arbitrary name.
Load the profile:
# apparmor_parser <em>/etc/apparmor.d/myservice</em>Modify /etc/systemd/system/myservice.service or run systemctl edit myservice and in the [Service] section add:
AppArmorProfile=myserviceReload the service files:
# systemctl daemon-reloadStart your service:
# systemctl start myserviceExercise your service and process all events with aa-logprof:
# aa-logprofDon’t forget to put it in enforce mode with aa-enforce if you are sure the profile is complete.