Security Handbook/Linux Security Modules/AppArmor

From Gentoo Wiki
Jump to:navigation Jump to:search

AppArmor is a MAC (Mandatory Access Control) system, implemented upon LSM (Linux Security Modules).



While the Linux kernel has supported AppArmor for quite some time, some recent changes have been made that make working with AppArmor profiles much more user friendly. It is therefore highly recommended to use kernel >=3.12.

Activate the following kernel options:

General setup --->
    -*- Auditing support

Security options  --->
    -*- Enable the securityfs filesystem
    -*- Socket and Networking Security Hooks
    [*] Enable different security models
    [*] AppArmor support
          [*]   Enable introspection of sha1 hashes for loaded profiles
          [*]      Enable policy hash introspection by default
    [ ] Build AppArmor with debug code
          First legacy 'major LSM' to be initialized (AppArmor)  --->
          "yama,apparmor" Ordered List of enabled LSMs

Below the "First legacy 'major LSM' to be initialized (AppArmor) --->"
Is an "Ordered List of enabled LSMs" (CONFIG_LSM=) containing a list of strings that needs to be modified to include AppArmor
Yama is the only one Gentoo sets for now, AppArmor needs to be added to the list. So the new string should become: "yama, apparmor"
Please make sure CONFIG_LSM="yama, apparmor" is set in your kernel .config


Install the userspace tools. It contains the profile parser and init script:

root #emerge --ask sys-apps/apparmor

Emerging the following package is recommended, but not required. This package contains additional userspace utilities to assist with profile management:

root #emerge --ask sys-apps/apparmor-utils

Additional software


Enabling AppArmor

If AppArmor was not selected as the default security module, and the boot parameter was not set to the default value in the kernel configuration, AppArmor must be manually enabled at boot time.


Some of the information in this section may have drifted out of sync with current practices. Please help out by checking over the content (how to get started).
FILE /boot/grub/grub.confExample GRUB config for AppArmor with simple kernel
title=Gentoo with AppArmor
root (hd0,0)
kernel /vmlinuz root=/dev/sda2 apparmor=1 security=apparmor


FILE /etc/default/grubEnabling AppArmor with GRUB 2
GRUB_CMDLINE_LINUX_DEFAULT="apparmor=1 security=apparmor"

Apply changes by running:

root #grub-mkconfig -o /boot/grub/grub.cfg


securityfs is the filesystem used by Linux kernel security modules. The init script mounts it automatically if it is not already, but some may prefer to do it manually:

FILE /etc/fstabsecurityfs entry for fstab
none     /sys/kernel/security securityfs defaults            0      0



Adding AppArmor to boot runlevel:

root #rc-update add apparmor boot


Enabling the service will load all profiles on startup:

root #systemctl enable apparmor.service

Working with profiles

Profiles are stored as simple text files in /etc/apparmor.d. They may take any name, and may be stored in subdirectories - they may be organized as desired.

root #ls /etc/apparmor.d
abstractions  program-chunks  usr.lib.apache2.mpm-prefork.apache2  usr.lib.dovecot.managesieve-login  usr.sbin.dovecot  usr.sbin.nscd
apache2.d     sbin.klogd      usr.lib.dovecot.deliver              usr.lib.dovecot.pop3               usr.sbin.identd   usr.sbin.ntpd      sbin.syslog-ng  usr.lib.dovecot.dovecot-auth         usr.lib.dovecot.pop3-login         usr.sbin.lspci    usr.sbin.smbd
disable       sbin.syslogd    usr.lib.dovecot.imap                 usr.sbin.avahi-daemon              usr.sbin.mdnsd    usr.sbin.smbldap-useradd
local         tunables        usr.lib.dovecot.imap-login           usr.sbin.dnsmasq                   usr.sbin.nmbd     usr.sbin.traceroute

Profiles are referred to by name, including any parent subdirectories if present.

Automatic control

The init script will automatically load all profiles located in the profile directory. Unless specified otherwise, each profile will be loaded in enforce mode.

Manual control

To activate a profile, simply set it to enforce mode:

root #aa-enforce usr.sbin.dnsmasq
Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode.

Similarly, to deactivate a profile, simply set it to complain mode:

root #aa-complain usr.sbin.dnsmasq
Setting /etc/apparmor.d/usr.sbin.dnsmasq to complain mode.

The current status profiles may be viewed using aa-status:

root #aa-status
apparmor module is loaded.
6 profiles are loaded.
5 profiles are in enforce mode.
1 profiles are in complain mode.
1 processes have profiles defined.
1 processes are in enforce mode.
   /usr/sbin/dnsmasq (12905)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Generating profiles

AppArmor can grab kernel audit logs from the userspace auditd daemon, allowing profile generation. To generate new profiles, the Audit framework should be installed and running:

root #emerge --ask --verbose sys-process/audit


root #rc-update add auditd default
root #rc-service auditd start


root #systemctl enable auditd.service
root #systemctl start auditd.service

New AppArmor profiles can be generated by utilizing aa-genprof:

root #aa-genprof /path/to/executable

Run the executable in a different terminal window and exercise its full functionality, then go back and [S]can, and either [A]llow or [D]eny. Press [F]inish to save the profile.

The aa-logprof utility can be used to scan log files for AppArmor audit messages, review them and update the profiles if the program is misbehaving after generating an initial profile. From a terminal:

root #aa-logprof

External resources