Introduction

AppArmor is a Linux Security Module implementation of name-based access controls. AppArmor confines individual programs to a set of listed files and posix 1003.1e draft capabilities.

Further information about AppArmor can be found on the AppArmor project's wiki.

Installation

AppArmor is installed and loaded by default since Ubuntu 8.04 LTS. Some packages will install their own enforcing profiles. Additional profiles can be found in the package apparmor-profiles from the Universe repository. When filing bugs against an installed apparmor profile, please see: https://wiki.ubuntu.com/DebuggingApparmor

Install additional AppArmor profiles

Usage

All of the following commands should be executed from a terminal.

List the current status of apparmor

sudo aa-status

Put a profile in complain mode

sudo aa-complain /path/to/bin

Example:

sudo aa-complain /bin/ping

Put a profile in enforce mode

sudo aa-enforce /path/to/bin

Example:

sudo aa-enforce /bin/ping

Disable AppArmor framework

Systems should not generally need to have AppArmor disabled entirely. It is highly recommended that users leave AppArmor enabled and put the problematic profile into complain mode (see above), then file a bug using the procedures found in https://wiki.ubuntu.com/DebuggingApparmor. If AppArmor must be disabled (eg to use SELinux instead), users can:

sudo systemctl stop apparmor
sudo systemctl disable apparmor

On Ubuntu systems prior to Ubuntu 16.04 LTS:

sudo invoke-rc.d apparmor stop
sudo update-rc.d -f apparmor remove

To disable AppArmor in the kernel to either:

  • adjust your kernel boot command line (see /etc/default/grub) to include either

  • * 'apparmor=0'
  • * 'security=XXX' where XXX can be "" to disable AppArmor or an alternative LSM name, eg. 'security="selinux"'

  • remove the apparmor package with your package manager. Do not 'purge' apparmor if you think you might want to reenable AppArmor at a later date

Enable AppArmor framework

AppArmor is enabled by default. If you used the above procedures, to disable it, you can re-enable it by:

  • ensure AppArmor is not disabled in /etc/default/grub if using Ubuntu kernels, or if using non-Ubuntu kernels, that /etc/default/grub  has apparmor=1 security=apparmor

  • ensuring that the apparmor package is installed

  • enabling the systemd unit: sudo systemctl enable apparmor && sudo systemctl start apparmor

  • for systems prior to Ubuntu 16.04 LTS:

sudo invoke-rc.d apparmor start
sudo update-rc.d apparmor start 37 S .

Reload all profiles

sudo service apparmor reload

Reload one profile

sudo apparmor_parser -r /etc/apparmor.d/profile.name

Example:

sudo apparmor_parser -r /etc/apparmor.d/bin.ping

Disable one profile

sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/profile.name

Example:

sudo ln -s /etc/apparmor.d/bin.ping /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/bin.ping

Enable one profile

By default, profiles are enabled (ie loaded into the kernel and applied to processes).

sudo rm /etc/apparmor.d/disable/profile.name
sudo apparmor_parser -r /etc/apparmor.d/profile.name

Example:

sudo rm /etc/apparmor.d/disable/bin.ping
sudo apparmor_parser -r /etc/apparmor.d/bin.ping

The aa-enforce command can also be used to enable a profile:

sudo aa-enforce /etc/apparmor.d/bin.ping

Profile customization

Profiles can found in /etc/apparmor.d. These are simple text files and can be edited either with a text editor, or by using aa-logprof.

Some customization can be made in /etc/apparmor.d/tunables/. When updating profiles, it is important to use these when appropriate. For example, rather than using a rule like:

  /home/*/ r,

use:

  @{HOME}/ r,

After updating a profile, be sure to reload it (see above).

FAQ

aa-status reports processes that are unconfined but have a profile defined

Restart the listed processes. Rebooting will also fix the problem.

AppArmor can only track and protect processes that are started after the kernel module has been loaded. After the apparmor packages have been installed, apparmor will be started. But running processes won't be protected by AppArmor. Either restarting the processes or rebooting will fix this.

How can I enable AppArmor for Firefox?

Since Ubuntu 9.10 (Karmic), AppArmor ships with a profile for Firefox which is disabled by default.

You can enable it using the following command:

sudo aa-enforce /etc/apparmor.d/usr.bin.firefox

How do I make AppArmor work with a non-standard HOME directory?

The location of home directories can be tuned in /etc/apparmor.d/tunables/home.

With Ubuntu 10.04 LTS and above, you can set home directory locations using sudo dpkg-reconfigure apparmor.

Creating a new profile

Design a test plan

Try to think about how the application should be exercised. The test plan should be divided into small test cases. Each test case should have a small description and list the steps to follow.

Some standard test cases are :

  • starting the program
  • stopping the program
  • reloading the program
  • testing all the command supported by the init script

In the case of graphical programs, your test cases should also include anything you normally do. Downloading and opening files, saving files, uploading files, using plugins, saving configurations changes, and launching other programs are all possibilities.

Generate the new profile

Use aa-genprof to generate a new profile.

From a terminal, use the command aa-genprof:

sudo aa-genprof executable

Example:

sudo aa-genprof slapd

The man page has more information: man aa-genprof.

Include your new profile in apparmor-profiles package

To get your new profile included in the apparmor-profiles package, file a bug in Launchpad against the AppArmor package:

  • Include your test plan and testcases.
  • Attach your new profile to the bug.

Migrating an apparmor-profiles profile to a package

Please see https://wiki.ubuntu.com/ApparmorProfileMigration

Update profiles

When the program is misbehaving, audit messages are sent to the log files. The program aa-logprof can be used to scan log files for AppArmor audit messages, review them and update the profiles.

sudo aa-logprof

The man page has more information : man aa-logprof

Debug AppArmor problems

When filing bugs against an installed apparmor profile, please see: https://wiki.ubuntu.com/DebuggingApparmor

Resources

External Links


AppArmor (last edited 2018-01-22 21:55:16 by jdstrand)