12-C.11: AppArmor
- Page ID
- 43051
AppArmor
AppArmor ("Application Armor") is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the permission to read, write, or execute files on matching paths. AppArmor supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC). It has been partially included in the mainline Linux kernel since version 2.6.36 and its development has been supported by Canonical since 2009.
AppArmor Profiles/Modes
AppArmor confinement is provided via profiles loaded into the kernel via apparmor_parser(8), typically through the /etc/init.d/apparmor SysV initscript, which is used like this:
# /etc/init.d/apparmor start
# /etc/init.d/apparmor stop
# /etc/init.d/apparmor restart
AppArmor can operate in two modes: enforcement, and complain or learning:
· Enforcement - Profiles loaded in enforcement mode will result in enforcement of the policy defined in the profile as well as reporting policy violation attempts to
syslogd.
· Complain - Profiles loaded in "complain" mode will not enforce policy. Instead, it will report policy violation attempts. This mode is convenient for developing
profiles.
Profiles are traditionally stored in files in /etc/apparmor.d/ under filenames with the convention of replacing the / in pathnames with . (except for the root /) so profiles are easier to manage (e.g. the /usr/sbin/nscd profile would be named usr.sbin.nscd).
Profiles are applied to a process at execution time; an already running process cannot be confined. However, once a profile is loaded for a program, that program will be confined on the next execution.
AppArmor also restricts what privileged operations a confined process may execute, even if the process is running as root.
Adjusting Tunables
AppArmor provides a mechanism for tuning your configuration without having to adjust your profiles. These tunables are stored in various files in /etc/apparmor.d/tunables. The most common tunable to adjust is /etc/apparmor.d/tunables/home. If AppArmor is denying access to files in your home directory and your home directory is not in /home, then you need to edit /etc/apparmor.d/tunables/home accordingly. For example, if your home directory is under /exports/home then change:
# @{HOMEDIRS} is a space-separated list of where user home directories
# are stored, for programs that must enumerate all home directories on a
# system.
@{HOMEDIRS}=/home/
to be:
# @{HOMEDIRS} is a space-separated list of where user home directories
# are stored, for programs that must enumerate all home directories on a
# system.
@{HOMEDIRS}=/home/ /exports/home/
There are other tunables available to you in /etc/apparmor.d/tunables. Most often, issues that are resolved by adjusting a tunable are not considered to be bugs in the profile.
AppArmor Command-line
| Command | Used for |
|---|---|
| aa-status | aa-status will report various aspects of the current state of AppArmor confinement. By default, it displays the same information as if the --verbose argument were given. |
| aa-enabled | Tests whether AppArmor is enabled. |
| aa-exec | aa-exec is used to launch a program confined by the specified profile and or namespace. If both a profile and namespace are specified the command will be confined by profile in the new policy namespace. If only a namespace is specified, the profile name of the current confinement will be used. If neither a profile or namespace is specified the command will be run using standard profile attachment. |
| aa-teardown | Unloads all AppArmor profiles. |
Adapted From:
"Debugging Apparmor" by Jamie Strandboge, Ubuntu Wiki is licensed under CC BY-SA 4.0
"AppArmor" by Alex Murray, Ubuntu Wiki is licensed under CC BY-SA 4.0