[Turn] AppArmor

AppArmor

Https://help.ubuntu.com/14.04/serverguide/apparmor.html

AppArmor is a Linux security module that implements name-enforced access control. AppArmor defines the ability of a single program to access a set of file lists and to follow POSIX 1003.1e drafts.

By default, AppArmor is installed and loaded. It uses the profiles of each program to determine what files and permissions the program needs. Some packages will install their own profiles, and additional profiles can be found in the Apparmor-profiles package.

To install the Apparmor-profiles package, enter it in the terminal:

sudo apt-get install Apparmor-profiles

There are two modes of execution for the AppArmor configuration file:

• Complaints/learning: Allow and record configuration file conflicts. It is useful for testing and developing new profiles.

• Mandatory/restricted: Enforces configuration policies and violation records.

• Using AppArmor
• Configuration file
• Resources

Using AppArmor

The Apparmor-utils package contains command-line tools that you can use to change the execution mode of the AppArmor, view the status of the configuration file, create a new profile, and so on.

• Apparmor_status is used to view the current state of the AppArmor configuration file.

  sudo apparmor_status

• Aa-complain place a profile into complain mode.

  sudo aa-complain/path/to/bin

• Aa-enforce place a profile into enforce mode.

  sudo aa-enforce/path/to/bin

• The/ETC/APPARMOR.D directory is where the AppArmor configuration file resides. Mode that can be used to manipulate all profiles.

  To place all the profiles in complain mode, enter:

  sudo aa-complain/etc/apparmor.d/*

  To place all profiles in the Enforce mode:

  sudo aa-enforce/etc/apparmor.d/*

• Apparmor_parser is used to load a configuration file into the kernel. It can also reload the currently loaded configuration file by using the-r option. To load a configuration file:

  Cat/etc/apparmor.d/profile.name | sudo apparmor_parser-a

  To reload a configuration file:

  Cat/etc/apparmor.d/profile.name | sudo apparmor_parser-r

• Service AppArmor can used to reload all profiles:

  sudo service AppArmor Reload

• The the/etc/apparmor.d/disable directory can be used with the APPARMOR_PARSER-R option to disable a configuration file.

  sudo ln-s/etc/apparmor.d/profile.name/etc/apparmor.d/disable/sudo apparmor_parser-r/etc/apparmor.d/profile.name

  To reactivate a disabled profile, remove the soft link to its profile in/etc/apparmor.d/disable/. Then use the option-A to load the configuration file.

  sudo rm/etc/apparmor.d/disable/profile.namecat/etc/apparmor.d/profile.name | sudo apparmor_parser-a

• AppArmor can be disabled and its kernel modules can be uninstalled by entering the following command:

  sudo service apparmor stopsudo update-rc.d-f apparmor Remove

• To re-enable AppArmor, enter:

  sudo service apparmor startsudo update-rc.d apparmor Defaults

Replace Profile.name with the profile name you are manipulating. Then, replace the/path/to/bin/with the actual path to the executable file. For example, use/bin/ping to replace the ping configuration file

AppArmor profiles is simple text files located in/etc/apparmor.d/. The files is named after the full path to the executable they profiles replacing the "/" with "." For example/etc/apparmor.d/bin.ping are the AppArmor profile for the/bin/ping command.

There are two main types of rules in a configuration file

• Path entry: Specifies which files in the file system are accessible to an application.

• Capability Entries:determine What privileges a confined process was allowed to use.

As an example, look at/etc/apparmor.d/bin.ping:

#include <tunables/global>/bin/ping flags= (complain) {  #include <abstractions/base>  #include <abstractions/consoles>  #include <abstractions/nameservice>  capability Net_raw,  Capability setuid,  network inet Raw,    /bin/ping mixr,  /etc/modules.conf R,}

• #include <tunables/global>: contains a declaration from a different file. This allows related claims from different applications to be placed in the same file.

• /bin/ping flags= (Complain): path to the profiled program, also setting the mode to complain.

• Capability Net_raw: Allows the program to have the ability to connect Cap_net_raw posix.1e.

• /bin/ping MIXR: Allows the application to read and execute the file.

The configuration file must be re-loaded after editing the configuration file. See Using AppArmor to get details creating a configuration file

• Design a test plan: Try to think about how the application will work. The test plan can be decomposed into small test cases. For each test case, you should have a brief description and list the steps that should be taken.

  Some of the standard test cases are:

  • Start the program.

  • Stop the program.

  • Reload the program.

  • Test all the commands supported by the Init script.

• Generate new profile: Use Aa-genprof to generate a new configuration file. In Terminal input:

  sudo aa-genprof executable

  For example:

  sudo aa-genprof slapd

• To have your profile included in the Apparmor-profiles package, send a bug report to AppArmor on Launchpad:

  • Contains your test plans and test cases.

  • Attach your new configuration file to the bug report.

Update configuration file

When the program is misbehaving, audit messages was sent to the log files. The program Aa-logprof can is used to scan log files for AppArmor audit messages, review them and update the profiles. From a terminal:

sudo aa-logprof

Resources

• You can find advanced configuration options in the AppArmor Administration Guide.

• See AppArmor Community Wiki For detailed usage of AppArmor in other Ubuntu distributions

• The OpenSUSE AppArmor page is another introduction to AppArmor.

• The #ubuntu-server IRC chat channel on freenode is a great place to seek apparmor help and participate in the Ubuntu server community.