AppArmor is a MAC (Mandatory Access Control) system, implemented upon LSM (Linux Security Modules).
While the Linux kernel has supported AppArmor for quite some time, some recent changes have been made that make working with AppArmor profiles much more user friendly. It is therefore highly recommended to use kernel >=3.12.
Activate the following kernel options:
Security options ---> -*- Enable the securityfs filesystem -*- Socket and Networking Security Hooks [*] Enable different security models [*] AppArmor support [*] Enable introspection of sha1 hashes for loaded profiles [*] Enable policy hash introspection by default [ ] Build AppArmor with debug code First legacy 'major LSM' to be initialized (AppArmor) --->
Install the userspace tools. It contains the profile parser and init script:
emerge --ask sys-apps/apparmor
Emerging the following package is recommended, but not required. This package contains additional userspace utilities to assist with profile management:
emerge --ask sys-apps/apparmor-utils
- sys-libs/libapparmor - The core library to support the userspace utilities
- sec-policy/apparmor-profiles - A collection of pre-built profiles contributed by the AppArmor community
If you did not select AppArmor as the default security module and set the boot parameter default value in the kernel configuration, you will need to enable AppArmor manually at boot time.
title=Gentoo with AppArmor root (hd0,0) kernel /vmlinuz root=/dev/sda2 apparmor=1 security=apparmor
Apply changes by running:
grub2-mkconfig -o /boot/grub2/grub.cfg
securityfs is the filesystem used by Linux kernel security modules. The init script mounts it automatically if it is not already, but some may prefer to do it manually:
none /sys/kernel/security securityfs defaults 0 0
Adding it to boot runlevel:
rc-update add apparmor boot
Enabling the service will load all profiles on startup:
systemctl enable apparmor.service
Working with profiles
Profiles are stored as simple text files in /etc/apparmor.d. They may take any name, and may be stored in subdirectories - you may organised them however it suits you.
abstractions program-chunks usr.lib.apache2.mpm-prefork.apache2 usr.lib.dovecot.managesieve-login usr.sbin.dovecot usr.sbin.nscd apache2.d sbin.klogd usr.lib.dovecot.deliver usr.lib.dovecot.pop3 usr.sbin.identd usr.sbin.ntpd bin.ping sbin.syslog-ng usr.lib.dovecot.dovecot-auth usr.lib.dovecot.pop3-login usr.sbin.lspci usr.sbin.smbd disable sbin.syslogd usr.lib.dovecot.imap usr.sbin.avahi-daemon usr.sbin.mdnsd usr.sbin.smbldap-useradd local tunables usr.lib.dovecot.imap-login usr.sbin.dnsmasq usr.sbin.nmbd usr.sbin.traceroute
Profiles are referred to by name, including any parent subdirectories if present.
The init script will automatically load all profiles located in your profile directory. Unless specifically specified otherwise, each profile will be loaded in enforce mode.
To activate a profile, simply set it to enforce mode:
Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode.
Similarly, to deactivate a profile, simply set it to complain mode.
Setting /etc/apparmor.d/usr.sbin.dnsmasq to complain mode.
The current status of your profiles may be viewed using aa-status:
# aa-status apparmor module is loaded. 6 profiles are loaded. 5 profiles are in enforce mode. /bin/ping /sbin/klogd /sbin/syslog-ng /usr/sbin/dnsmasq /usr/sbin/identd 1 profiles are in complain mode. /usr/sbin/lspci 1 processes have profiles defined. 1 processes are in enforce mode. /usr/sbin/dnsmasq (12905) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.