AppArmor

AppArmor is a Linux Security Module implementation of name-based mandatory access controls. AppArmor confines individual programs to a set of listed files and posix 1003.1e draft capabilities.

AppArmor is installed and loaded by default. It uses profiles of an application to determine what files and permissions the application requires. Some packages will install their own profiles, and additional profiles can be found in the apparmor-profiles package.

To install the apparmor-profiles package from a terminal prompt:

sudo apt-get install apparmor-profiles

AppArmor profiles have two modes of execution:

• Complaining/Learning: profile violations are permitted and logged. Useful for testing and developing new profiles.
• Enforced/Confined: enforces profile policy as well as logging the violation.

Using AppArmor

The apparmor-utils package contains command line utilities that you can use to change the AppArmor execution mode, find the status of a profile, create new profiles, etc.

• apparmor_status is used to view the current status of AppArmor profiles.

  sudo apparmor_status
  

• aa-complain places a profile into complain mode.

  sudo aa-complain /path/to/bin
  

• aa-enforce places a profile into enforce mode.

  sudo aa-enforce /path/to/bin
  

• The /etc/apparmor.d directory is where the AppArmor profiles are located. It can be used to manipulate the mode of all profiles.
  Enter the following to place all profiles into complain mode:

  sudo aa-complain /etc/apparmor.d/*
  

  To place all profiles in enforce mode:

  sudo aa-enforce /etc/apparmor.d/*
  

• apparmor_parser is used to load a profile into the kernel. It can also be used to reload a currently loaded profile using the -r option. To load a profile:

  cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
  

  To reload a profile:

  cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r
  

• service apparmor can be used to reload all profiles:

  sudo service apparmor reload
  

• The /etc/apparmor.d/disable directory can be used along with the apparmor_parser -R option to disable a profile.

  sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/
  sudo apparmor_parser -R /etc/apparmor.d/profile.name
  

  To re-enable a disabled profile remove the symbolic link to the profile in /etc/apparmor.d/disable/. Then load the profile using the -aoption.

  sudo rm /etc/apparmor.d/disable/profile.name
  cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
  

• AppArmor can be disabled, and the kernel module unloaded by entering the following:

  sudo service apparmor stop
  sudo update-rc.d -f apparmor remove
  

• To re-enable AppArmor enter:

  sudo service apparmor start
  sudo update-rc.d apparmor defaults

  
  
  Profiles
  
  
  
  
  AppArmor profiles are simple text files located in /etc/apparmor.d/. The files are named after the full path to the executable they profile replacing the "/" with ".". For example /etc/apparmor.d/bin.ping is the AppArmor profile for the /bin/ping command.
  
  There are two main type of rules used in profiles:
  
  
  
  Path entries: which detail which files an application can access in the file system.
  
  
  Capability entries: determine what privileges a confined process is allowed to use.
  
  
  
  
  As an example take a look at /etc/apparmor.d/bin.ping:
  
  #include <tunables/global>
  /bin/ping flags=(complain) {
    #include <abstractions/base>
    #include <abstractions/consoles>
    #include <abstractions/nameservice>
  
    capability net_raw,
    capability setuid,
    network inet raw,
    
    /bin/ping mixr,
    /etc/modules.conf r,
  }
  
  
  
  
  
  #include <tunables/global>: include statements from other files. This allows statements pertaining to multiple applications to be placed in a common file.
  
  
  /bin/ping flags=(complain): path to the profiled program, also setting the mode to complain.
  
  
  capability net_raw,: allows the application access to the CAP_NET_RAW Posix.1e capability.
  
  
  /bin/ping mixr,: allows the application read and execute access to the file.