Security Handbook/Linux Security Modules/AppArmor
AppArmor is a MAC (Mandatory Access Control) system, implemented upon LSM (Linux Security Modules).
While the Linux kernel has supported AppArmor for quite some time, some recent changes have been made that make working with AppArmor profiles much more user friendly. It is therefore highly recommended to use kernel >=3.12.
Activate the following kernel options:
General setup ---> -*- Auditing support Security options ---> -*- Enable the securityfs filesystem -*- Socket and Networking Security Hooks [*] Enable different security models [*] AppArmor support [*] Enable introspection of sha1 hashes for loaded profiles [*] Enable policy hash introspection by default [ ] Build AppArmor with debug code First legacy 'major LSM' to be initialized (AppArmor) --->
Install the userspace tools. It contains the profile parser and init script:
emerge --ask sys-apps/apparmor
Emerging the following package is recommended, but not required. This package contains additional userspace utilities to assist with profile management:
emerge --ask sys-apps/apparmor-utils
- sys-libs/libapparmor - The core library to support the userspace utilities
- sec-policy/apparmor-profiles - A collection of pre-built profiles contributed by the AppArmor community
If AppArmor was not selected as the default security module, and the boot parameter was not set to the default value in the kernel configuration, AppArmor must be manually enabled at boot time.
title=Gentoo with AppArmor root (hd0,0) kernel /vmlinuz root=/dev/sda2 apparmor=1 security=apparmor
Apply changes by running:
grub-mkconfig -o /boot/grub/grub.cfg
securityfs is the filesystem used by Linux kernel security modules. The init script mounts it automatically if it is not already, but some may prefer to do it manually:
none /sys/kernel/security securityfs defaults 0 0
Adding AppArmor to boot runlevel:
rc-update add apparmor boot
Enabling the service will load all profiles on startup:
systemctl enable apparmor.service
Working with profiles
Profiles are stored as simple text files in /etc/apparmor.d. They may take any name, and may be stored in subdirectories - they may be organized as desired.
abstractions program-chunks usr.lib.apache2.mpm-prefork.apache2 usr.lib.dovecot.managesieve-login usr.sbin.dovecot usr.sbin.nscd apache2.d sbin.klogd usr.lib.dovecot.deliver usr.lib.dovecot.pop3 usr.sbin.identd usr.sbin.ntpd bin.ping sbin.syslog-ng usr.lib.dovecot.dovecot-auth usr.lib.dovecot.pop3-login usr.sbin.lspci usr.sbin.smbd disable sbin.syslogd usr.lib.dovecot.imap usr.sbin.avahi-daemon usr.sbin.mdnsd usr.sbin.smbldap-useradd local tunables usr.lib.dovecot.imap-login usr.sbin.dnsmasq usr.sbin.nmbd usr.sbin.traceroute
Profiles are referred to by name, including any parent subdirectories if present.
The init script will automatically load all profiles located in the profile directory. Unless specified otherwise, each profile will be loaded in enforce mode.
To activate a profile, simply set it to enforce mode:
Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode.
Similarly, to deactivate a profile, simply set it to complain mode:
Setting /etc/apparmor.d/usr.sbin.dnsmasq to complain mode.
The current status profiles may be viewed using aa-status:
apparmor module is loaded. 6 profiles are loaded. 5 profiles are in enforce mode. /bin/ping /sbin/klogd /sbin/syslog-ng /usr/sbin/dnsmasq /usr/sbin/identd 1 profiles are in complain mode. /usr/sbin/lspci 1 processes have profiles defined. 1 processes are in enforce mode. /usr/sbin/dnsmasq (12905) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.
AppArmor can grab kernel audit logs from the userspace auditd daemon, allowing profile generation. To generate new profiles, the Audit framework should be installed and running:
emerge --ask --verbose sys-process/audit
rc-update add auditd default
rc-service auditd start
systemctl enable auditd.service
systemctl start auditd.service
New AppArmor profiles can be generated by utilizing aa-genprof:
Run the executable in a different terminal window and exercise its full functionality, then go back and [S]can, and either [A]llow or [D]eny. Press [F]inish to save the profile.
The aa-logprof utility can be used to scan log files for AppArmor audit messages, review them and update the profiles if the program is misbehaving after generating an initial profile. From a terminal: