AppArmor
Jump to navigation
Jump to search
Installation
AppArmor is installed by default in Ubuntu[1] and openSUSE[2]
sudo apt-get install apparmor apparmor-utils apparmor-profiles apparmor-profiles-extra # Debian
Fedora doesn't support AppArmor at the moment.[3][4]
Configuration
Enable AppArmor via the following kernel boot parameter:
apparmor=1 security=apparmor
The configuration files in /etc/apparmor should be left untouched for now, the AppArmor profiles are stored in /etc/apparmor.d might be more interesting.
Usage
Once enabled, we can check the status:
$ aa-status apparmor module is loaded. 38 profiles are loaded. 3 profiles are in enforce mode. /usr/lib/chromium-browser/chromium-browser//browser_java /usr/lib/chromium-browser/chromium-browser//browser_openjdk /usr/lib/chromium-browser/chromium-browser//sanitized_helper 35 profiles are in complain mode. /sbin/klogd /sbin/syslog-ng /sbin/syslogd [...] 0 processes have profiles defined. 0 processes are in enforce mode. 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.
Unfortunately, Debian doesn't ship too many profiles, so most of the processes are still running unconfined anyway:
$ ps auxZ unconfined root 1 1.1 0.0 28732 4888 ? Ss 20:20 0:03 /sbin/init unconfined root 585 0.0 0.0 258664 3516 ? Ssl 20:21 0:00 /usr/sbin/rsyslogd -n unconfined root 574 0.0 0.0 55164 5324 ? Ss 20:21 0:00 /usr/sbin/sshd -D [...]
Let's try something: apparmor-profiles does ship a profile for ping:
$ ping -q localhost & $ ps auxZ | grep pin[g] /{usr/,}bin/ping root 1161 0.4 0.0 10552 1812 pts/0 S 20:29 0:00 ping -q localhost $ aa-status 1 processes have profiles defined. 0 processes are in enforce mode. 1 processes are in complain mode. /{usr/,}bin/ping (1161)
Now ping runs under an AppArmor profile and is confined by the rules set in /etc/apparmor.d/bin.ping.
TBD
Links
- AppArmor Wiki
- AppArmor on Debian
- Debian Wiki: AppArmor
- Ubuntu AppArmor Documentation
- AppArmor Application Security for SuSE Linux