AppArmor

From Segfault
Jump to navigation Jump to search

Installation

AppArmor is installed by default in Ubuntu[1] and openSUSE[2]

sudo apt-get install apparmor apparmor-utils apparmor-profiles apparmor-profiles-extra   # Debian

Fedora doesn't support AppArmor at the moment.[3][4]

Configuration

Enable AppArmor via the following kernel boot parameter:

apparmor=1 security=apparmor

The configuration files in /etc/apparmor should be left untouched for now, the AppArmor profiles are stored in /etc/apparmor.d might be more interesting.

Usage

Once enabled, we can check the status:

$ aa-status
apparmor module is loaded.
38 profiles are loaded.
3 profiles are in enforce mode.
   /usr/lib/chromium-browser/chromium-browser//browser_java
   /usr/lib/chromium-browser/chromium-browser//browser_openjdk
   /usr/lib/chromium-browser/chromium-browser//sanitized_helper
35 profiles are in complain mode.
   /sbin/klogd
   /sbin/syslog-ng
   /sbin/syslogd
[...]
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Unfortunately, Debian doesn't ship too many profiles, so most of the processes are still running unconfined anyway:

$ ps auxZ
unconfined        root      1  1.1  0.0  28732  4888 ?        Ss   20:20   0:03 /sbin/init
unconfined        root    585  0.0  0.0 258664  3516 ?        Ssl  20:21   0:00 /usr/sbin/rsyslogd -n
unconfined        root    574  0.0  0.0  55164  5324 ?        Ss   20:21   0:00 /usr/sbin/sshd -D
[...]

Let's try something: apparmor-profiles does ship a profile for ping:

$ ping -q localhost &
$ ps auxZ | grep pin[g]
/{usr/,}bin/ping  root   1161  0.4  0.0  10552  1812 pts/0    S    20:29   0:00 ping -q localhost

$ aa-status 
1 processes have profiles defined.
0 processes are in enforce mode.
1 processes are in complain mode.
   /{usr/,}bin/ping (1161) 

Now ping runs under an AppArmor profile and is confined by the rules set in /etc/apparmor.d/bin.ping.

TBD

Links

References