1.2 Determining Programs to Immunize

Now that you have familiarized yourself with AppArmor, start selecting the applications to build profiles for. Programs that need profiling are those that mediate privilege. The following programs have access to resources that the person using the program does not have, so they grant the privilege to the user when used:

cron Jobs

Programs that are run periodically by cron. Such programs read input from a variety of sources and can run with special privileges, sometimes with as much as root privilege. For example, cron can run /usr/sbin/logrotate daily to rotate, compress or even mail system logs. For instructions for finding these types of programs, refer to Section 1.3, Immunizing Cron Jobs.

Web Applications

Programs that can be invoked through a Web browser, including CGI Perl scripts, PHP pages, and more complex Web applications. For instructions for finding these types of programs, refer to Section 1.4.1, Immunizing Web Applications.

Network Agents

Programs (servers and clients) that have open network ports. User clients, such as mail clients and Web browsers mediate privilege. These programs run with the privilege to write to the user's home directory and they process input from potentially hostile remote sources, such as hostile Web sites and e-mailed malicious code. For instructions for finding these types of programs, refer to Section 1.4.2, Immunizing Network Agents.

Conversely, unprivileged programs do not need to be profiled. For instance, a shell script might invoke the cp program to copy a file. Because cp does not have its own profile, it inherits the profile of the parent shell script, so can copy any files that the parent shell script's profile can read and write.