What is apparmor?
What it is
Apparmor is a Mandatory Access Control (or MAC) system. It uses LSM kernel enhancements to restrict programs to certain resources. AppArmor does this with profiles loaded into the kernel when the system starts. Apparmor has two types of profile modes, enforcement and complain. Profiles in enforcement mode enforce that profile's rules and report violation attempts in syslog
or auditd
. Profiles in complain mode don't enforce any profile rules, just log violation attempts.
In Ubuntu Apparmor is installed by default. It confines applications to profiles to determine what files and permissions that a program needs access to. Some applications will come with their own properties and more can be found in the apparmor-profiles
package.
You can install apparmor-profiles
by running sudo apt-get install apparmor-profiles
.
I found a good example of Apparmor on the Ubuntu forums that I rewrote for this post.
Apparmor is a security framework that prevents applications from turning evil. For example: If I run Firefox and visit a bad site that tries to install malware that will delete my
home
folder, Apparmor has limits on Firefox though preventing it from doing anything I don't want (like accessing my music, documents, etc). This way even if your application is compromised, no harm can be done.
How it works
The apparmor-utils
package contains command line tools for configuring Apparmor. Using it you can change Apparmor's execution mode, find the status of a profile create new profiles, etc.
These are the most common commands:
Note: Profiles are stored in /etc/apparmor.d/
- You can check Apparmor's status with
sudo apparmor_status
. You will get a list of all profiles * loaded, all profiles in enforce mode, all profiles in complain mode, what processes are defined in enforce/complain, etc. - To put a profile in complain mode you use
sudo aa-complain /path/to/bin
, where/path/to/bin
is the programsbin
folder. For example, running:sudo aa-complain /usr/bin/firefox
will put Firefox in complain mode. - You use
sudo aa-enforce /path/to/bin
to enforce a programs profile. - You can load all profiles into complain/enforce modes with
sudo aa-complain /etc/apparmor.d/*
andsudo aa-enforce.d/*
respectively.
To load a profile into the kernel you would use apparmor_parser
. You can reload profiles using the -r
parameter.
- To load a profile use:
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
, which effectively prints the contents ofprofile.name
into Apparmor's parser. - To reload a profile you use the
-r
parameter, like so:cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r
- To reload all of Apparmor's profiles use:
sudo service apparmor reload
To disable a profile you link it to /etc/apparmor.d/disable/
using ln
like this: sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/
then run: sudo apparmor_parser -R /etc/apparmor.d/profile.name
.
Note: Do not confuse apparmor_parser -r
with apparmor_parser -R
THEY ARE NOT THE SAME THING!
- To re-enable a profile, remove the symbolic link to it in
/etc/apparmor.d/disable/
then load it using the-a
parameter.sudo rm /etc/apparmor.d/disable/profile.name
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
- You can disable Apparmor with
sudo service apparmor stop
and remove the kernel module usingsudo update-rc.d -f apparmor defaults
- Start Apparmor with
sudo service apparmor start
and load kernel modules withsudo update-rc.d apparmor defaults
Profiles
Profiles are stored in /etc/apparmor.d/
and are named after the full path to the executable they profile, replacing '/' with '.'. For example /etc/apparmor.d/bin.ping
is the profile for ping
in /bin
.
There are two main types of entries used in profiles:
Path Entries determine what files an application can access.
Capability entries determine what privileges a process can use.
Lets look at the profile for ping
, located in etc/apparmor.d/bin.ping
, as an example.
#include <tunables/global>
/bin/ping flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
capability net_raw,
capability setuid,
network inet raw,
/bin/ping mixr,
/etc/modules.conf r,
}
#include <tunables/global>
Includes the file global
in the directory tunables
, this allows statements pertaining to multiple applications to be placed in a common file.
/bin/ping flags=(complain)
sets the path to the profiled program and sets the mode to complain.
capability net_raw
allows the application access to the CAP_NET_RAW Posix.1e
capability.
/bin/ping mixr
allows the application read and execute access to the file.
/etc/modules.conf r,
The r
gives the application read privileges for /etc/modules.conf
Note: After creating/editing a profile, you need to reload the profile for changes to take effect.
Here is a list of permissions you can use:
r
- readw
- writeux
- Unconstrained ExecuteUx
- Unconstrained Execute -- scrub the environmentpx
- Discrete profile executePx
- Discrete profile execute -- scrub the environmentix
- Inherit executem
- allowPROT_EXEC
withmmap(2)
callsl
- link
Sources
- http://ubuntuforums.org/showthread.php?t=1606499
- http://ubuntuforums.org/showthread.php?t=1008906
- https://wiki.ubuntu.com/AppArmor
- https://help.ubuntu.com/12.10/serverguide/apparmor.html
AppArmor is a Mandatory Access Control (MAC) system which is a kernel (LSM) enhancement to confine programs to a limited set of resources. AppArmor's security model is to bind access control attributes to programs rather than to users. AppArmor confinement is provided via profiles loaded into the kernel, typically on boot. AppArmor profiles can be in one of two modes: enforcement and complain. Profiles loaded in enforcement mode will result in enforcement of the policy defined in the profile as well as reporting policy violation attempts (either via syslog or auditd). Profiles in complain mode will not enforce policy but instead report policy violation attempts.
AppArmor is different from some other MAC systems on Linux in that it is path-based, allows for mixing of enforcement and complain mode profiles, uses include files to ease development and has a far lower barrier to entry than other popular MAC systems.
AppArmor is an established technology first seen in Immunix, and later integrated into Ubuntu, Novell/SUSE, and Mandriva. Core AppArmor functionality is in the mainline Linux kernel from 2.6.36 onwards; work is ongoing by AppArmor, Ubuntu and other developers to merge additional AppArmor functionality into the mainline kernel.
I got few More helpful Links to you : Wiki.Ubuntu.com Ubuntuforums.org
Apparmor guides for Ubuntu 12.04 & Ubuntu 12.10
Hope that will help you.
Here is a quote from the Apparmor wiki:
AppArmor is an effective and easy-to-use Linux application security system. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies completely define what system resources individual applications can access, and with what privileges. A number of default policies are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor policies for even very complex applications can be deployed successfully in a matter of hours.