Introduction to AppArmor
If you use Ubuntu or Suse you probably already have Apparmor installed on your system, so take a moment and see how this software can help you.
And also if you don’t use these distributions, this article can be interesting if you are interested at the security of your Linux Box.
AppArmor (“Application Armor”) is a security module for the Linux kernel, released under the GNU General Public License. AppArmor allows the system administrator to associate with each program a security profile that restricts the capabilities of that program. It supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC).
It was included as of the 2.6.36 version of the mainline Linux kernel. Since 2009, Canonical contributes to the ongoing AppArmor development.
In addition to manually specifying profiles, AppArmor includes a learning mode, in which violations of the profile are logged, but not prevented. This log can then be turned into a profile, based on the program’s typical behavior.
AppArmor is implemented using the Linux Security Modules (LSM) kernel interface.
AppArmor is offered in part as an alternative to SELinux, another system that is based on LSM to implement a MAC security model.
AppArmor is installed and loaded by default in recent versions of Ubuntu and uses application profiles to determine which files and permissions are necessary for the application. Some packages install their own profiles and additional profiles can be found in the package apparmor-profiles.
To install the package apparmor-profiles, in a terminal type:
sudo apt-get install apparmor-profiles
The apparmor-utils package contains command line utilities that you can use to change the AppArmor execution mode, find the status of a profile, create new profiles, etc.
- apparmor_statusis used to view the current status of AppArmor profiles.
- aa-complain places a profile into complainmode.
sudo aa-complain /path/to/bin
- aa-enforce places a profile into enforcemode.
sudo aa-enforce /path/to/bin
/etc/apparmor.ddirectory is where the AppArmor profiles are located. It can be used to manipulate the modeof all profiles.Enter the following to place all profiles into complain mode:
sudo aa-complain /etc/apparmor.d/*
To place all profiles in enforce mode:
sudo aa-enforce /etc/apparmor.d/*
- apparmor_parser is used to load a profile into the kernel. It can also be used to reload a currently loaded profile using the -roption. To load a profile:
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
To reload a profile:
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r
/etc/init.d/apparmorcan be used to reloadall profiles:
sudo /etc/init.d/apparmor reload
- AppArmor can be disabled, and the kernel module unloaded by entering the following:
sudo /etc/init.d/apparmor stop sudo update-rc.d -f apparmor remove
- To re-enable AppArmor enter:
sudo /etc/init.d/apparmor start sudo update-rc.d apparmor defaults
AppArmor profiles are simple text files located in /etc/apparmor.d/. The files are named after the full path to the executable they profile replacing the “/” with “.”. For example /etc/apparmor.d/bin.ping is the AppArmor profile for the /bin/ping command.