|
Size: 2789
Comment:
|
← Revision 51 as of 2020-07-05 02:06:39 ⇥
Size: 7826
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| ||<tablestyle="float:right; font-size: 0.9em; width:40%; background:#F1F1ED; margin: 0 0 1em 1em;" style="padding:0.5em;">'''Contents'''[[BR]][[TableOfContents(2)]]|| | #title AppArmor #language en #format wiki #pragma section-numbers off ||<tablestyle="float:right; font-size: 0.9em; width:40%; background:#F1F1ED; margin: 0 0 1em 1em;" style="padding:0.5em;"><<TableOfContents(2)>>|| |
| Line 4: | Line 9: |
| Line 7: | Line 11: |
| AppArmor was first made available to Ubuntu in Ubuntu 7.04 in Universe. | Further information about AppArmor can be found on the AppArmor project's [[http://wiki.apparmor.net|wiki]]. |
| Line 10: | Line 14: |
== Ubuntu 7.04 (Feisty), Ubuntu 7.10 (Gutsy) == |
AppArmor is installed and loaded by default since Ubuntu 8.04 LTS. Some packages will install their own '''enforcing''' profiles. Additional profiles can be found in the package ''apparmor-profiles'' from the Universe repository. When filing bugs against an installed apparmor profile, please see: https://wiki.ubuntu.com/DebuggingApparmor === Install additional AppArmor profiles === |
| Line 14: | Line 18: |
| * Install ''apparmor-modules-source'' and ''module-assistant'' packages. See InstallingSoftware. * Compile the apparmor kernel module : {{{ sudo m-a -v -t prepare sudo m-a -v -t -f build apparmor-modules sudo m-a -v -t install apparmor-modules }}} * Install ''apparmor-profiles'', ''apparmor-utils'' and ''apparmor'' packages. See InstallingSoftware. === Installing the latest version on feisty === To install the latest apparmor packages on feisty, the packages have to be rebuilt. See [https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/116627 latest apparmor utilities for feisty (LP #116627)]. === Kernel upgrade === When a new kernel is installed, the apparmor module has to be recompiled : {{{ sudo m-a -v -t -f build apparmor-modules sudo m-a -v -t install apparmor-modules }}} In order to make sure that all running processes are protected, the system has to be rebooted. |
* Install ''[[apt:apparmor-profiles|apparmor-profiles]]''. Click the link to install, or see InstallingSoftware for more installation options. |
| Line 37: | Line 22: |
All the commands should be executed from a terminal. |
All of the following commands should be executed from a terminal. |
| Line 41: | Line 25: |
{{{ sudo apparmor_status }}} == Put a profile in complain mode / Disable a profile == |
{{{ sudo aa-status }}} == Put a profile in complain mode == |
| Line 58: | Line 40: |
| == Put all profiles into complain mode / Disable all profiles == {{{ sudo aa-complain /etc/apparmor.d/* }}} == Put a profile in enforce mode / Enable a profile == |
== Put a profile in enforce mode == |
| Line 75: | Line 51: |
| == Put all profiles in enforce mode / Enable all profiles == {{{ sudo aa-enforce /etc/apparmor.d/* }}} |
|
| Line 82: | Line 52: |
{{{ sudo /etc/init.d/apparmor kill |
Systems should not generally need to have AppArmor disabled entirely. It is highly recommended that users leave AppArmor enabled and put the problematic profile into complain mode (see above), then file a bug using the procedures found in https://wiki.ubuntu.com/DebuggingApparmor. If AppArmor must be disabled (eg to use SELinux instead), users can: {{{ sudo systemctl stop apparmor sudo systemctl disable apparmor }}} On Ubuntu systems prior to Ubuntu 16.04 LTS: {{{ sudo invoke-rc.d apparmor stop |
| Line 88: | Line 66: |
| To disable !AppArmor in the kernel to either: * adjust your kernel boot command line (see ```/etc/default/grub```) to include either ** 'apparmor=0' ** 'security=XXX' where XXX can be "" to disable AppArmor or an alternative LSM name, eg. 'security="selinux"' * remove the ```apparmor``` package with your package manager. Do not 'purge' apparmor if you think you might want to reenable AppArmor at a later date |
|
| Line 89: | Line 74: |
{{{ sudo /etc/init.d/apparmor start |
!AppArmor is enabled by default. If you used the above procedures, to disable it, you can re-enable it by: * ensure !AppArmor is not disabled in ```/etc/default/grub``` if using Ubuntu kernels, or if using non-Ubuntu kernels, that ```/etc/default/grub ``` has ```apparmor=1 security=apparmor``` * ensuring that the ```apparmor``` package is installed * enabling the systemd unit: ```sudo systemctl enable apparmor && sudo systemctl start apparmor``` * for systems prior to Ubuntu 16.04 LTS: {{{ sudo invoke-rc.d apparmor start |
| Line 96: | Line 85: |
{{{ sudo /etc/init.d/apparmor reload |
{{{ sudo service apparmor reload |
| Line 102: | Line 90: |
{{{ cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r }}} Example: {{{ cat /etc/apparmor.d/bin.ping | sudo apparmor_parser -r }}} |
{{{ sudo apparmor_parser -r /etc/apparmor.d/profile.name }}} Example: {{{ sudo apparmor_parser -r /etc/apparmor.d/bin.ping }}} == Disable one profile == {{{ sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/ sudo apparmor_parser -R /etc/apparmor.d/profile.name }}} Example: {{{ sudo ln -s /etc/apparmor.d/bin.ping /etc/apparmor.d/disable/ sudo apparmor_parser -R /etc/apparmor.d/bin.ping }}} == Enable one profile == By default, profiles are enabled (ie loaded into the kernel and applied to processes). {{{ sudo rm /etc/apparmor.d/disable/profile.name sudo apparmor_parser -r /etc/apparmor.d/profile.name }}} Example: {{{ sudo rm /etc/apparmor.d/disable/bin.ping sudo apparmor_parser -r /etc/apparmor.d/bin.ping }}} The ```aa-enforce``` command can also be used to enable a profile: {{{ sudo aa-enforce /etc/apparmor.d/bin.ping }}} = Profile customization = Profiles can found in {{{/etc/apparmor.d}}}. These are simple text files and can be edited either with a text editor, or by using {{{aa-logprof}}}. Some customization can be made in {{{/etc/apparmor.d/tunables/}}}. When updating profiles, it is important to use these when appropriate. For example, rather than using a rule like:{{{ /home/*/ r, }}}use:{{{ @{HOME}/ r, }}} After updating a profile, be sure to reload it (see above). = FAQ = == aa-status reports processes that are unconfined but have a profile defined == Restart the listed processes. Rebooting will also fix the problem. AppArmor can only track and protect processes that are started after the kernel module has been loaded. After the apparmor packages have been installed, apparmor will be started. But running processes won't be protected by AppArmor. Either restarting the processes or rebooting will fix this. == How can I enable AppArmor for Firefox? == Since Ubuntu 9.10 (Karmic), AppArmor ships with a profile for Firefox which is disabled by default. You can enable it using the following command: {{{ sudo aa-enforce /etc/apparmor.d/usr.bin.firefox }}} == How do I make AppArmor work with a non-standard HOME directory? == The location of home directories can be tuned in {{{/etc/apparmor.d/tunables/home}}}. With Ubuntu 10.04 LTS and above, you can set home directory locations using {{{sudo dpkg-reconfigure apparmor}}}. <<Anchor(newprofile)>> = Creating a new profile = == Design a test plan == Try to think about how the application should be exercised. The test plan should be divided into small test cases. Each test case should have a small description and list the steps to follow. Some standard test cases are : * starting the program * stopping the program * reloading the program * testing all the command supported by the init script In the case of graphical programs, your test cases should also include anything you normally do. Downloading and opening files, saving files, uploading files, using plugins, saving configurations changes, and launching other programs are all possibilities. == Generate the new profile == Use ''aa-genprof'' to generate a new profile. From a terminal, use the command ''aa-genprof'': {{{ sudo aa-genprof executable }}} Example: {{{ sudo aa-genprof slapd }}} The man page has more information: {{{man aa-genprof}}}. == Include your new profile in apparmor-profiles package == To get your new profile included in the apparmor-profiles package, file a bug in Launchpad against the [[https://bugs.launchpad.net/ubuntu/+source/apparmor/+filebug|AppArmor package]]: * Include your test plan and testcases. * Attach your new profile to the bug. == Migrating an apparmor-profiles profile to a package == Please see https://wiki.ubuntu.com/ApparmorProfileMigration <<Anchor(updateprofile)>> = Update profiles = When the program is misbehaving, audit messages are sent to the log files. The program ''aa-logprof'' can be used to scan log files for AppArmor audit messages, review them and update the profiles. {{{ sudo aa-logprof }}} The man page has more information : {{{man aa-logprof}}} = Debug AppArmor problems = When filing bugs against an installed apparmor profile, please see: https://wiki.ubuntu.com/DebuggingApparmor |
| Line 113: | Line 210: |
[http://en.opensuse.org/AppArmor_Geeks Intro to AppArmor for Geeks] : detailed usage of apparmor. |
* [[https://wiki.ubuntu.com/AppArmor|AppArmor in Ubuntu information]] * [[http://wiki.apparmor.net|AppArmor upstream wiki]] * [[https://gitlab.com/apparmor/apparmor/-/wikis/Documentation|AppArmor upstream documentation]] = External Links = |
| Line 117: | Line 217: |
| CategoryDocumentation |
Introduction
AppArmor is a Linux Security Module implementation of name-based access controls. AppArmor confines individual programs to a set of listed files and posix 1003.1e draft capabilities.
Further information about AppArmor can be found on the AppArmor project's wiki.
Installation
AppArmor is installed and loaded by default since Ubuntu 8.04 LTS. Some packages will install their own enforcing profiles. Additional profiles can be found in the package apparmor-profiles from the Universe repository. When filing bugs against an installed apparmor profile, please see: https://wiki.ubuntu.com/DebuggingApparmor
Install additional AppArmor profiles
- Enable the Universe repository.
Install apparmor-profiles. Click the link to install, or see InstallingSoftware for more installation options.
Usage
All of the following commands should be executed from a terminal.
List the current status of apparmor
sudo aa-status
Put a profile in complain mode
sudo aa-complain /path/to/bin
Example:
sudo aa-complain /bin/ping
Put a profile in enforce mode
sudo aa-enforce /path/to/bin
Example:
sudo aa-enforce /bin/ping
Disable AppArmor framework
Systems should not generally need to have AppArmor disabled entirely. It is highly recommended that users leave AppArmor enabled and put the problematic profile into complain mode (see above), then file a bug using the procedures found in https://wiki.ubuntu.com/DebuggingApparmor. If AppArmor must be disabled (eg to use SELinux instead), users can:
sudo systemctl stop apparmor sudo systemctl disable apparmor
On Ubuntu systems prior to Ubuntu 16.04 LTS:
sudo invoke-rc.d apparmor stop sudo update-rc.d -f apparmor remove
To disable AppArmor in the kernel to either:
adjust your kernel boot command line (see /etc/default/grub) to include either
- * 'apparmor=0'
* 'security=XXX' where XXX can be "" to disable AppArmor or an alternative LSM name, eg. 'security="selinux"'
remove the apparmor package with your package manager. Do not 'purge' apparmor if you think you might want to reenable AppArmor at a later date
Enable AppArmor framework
AppArmor is enabled by default. If you used the above procedures, to disable it, you can re-enable it by:
ensure AppArmor is not disabled in /etc/default/grub if using Ubuntu kernels, or if using non-Ubuntu kernels, that /etc/default/grub has apparmor=1 security=apparmor
ensuring that the apparmor package is installed
enabling the systemd unit: sudo systemctl enable apparmor && sudo systemctl start apparmor
- for systems prior to Ubuntu 16.04 LTS:
sudo invoke-rc.d apparmor start sudo update-rc.d apparmor start 37 S .
Reload all profiles
sudo service apparmor reload
Reload one profile
sudo apparmor_parser -r /etc/apparmor.d/profile.name
Example:
sudo apparmor_parser -r /etc/apparmor.d/bin.ping
Disable one profile
sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/ sudo apparmor_parser -R /etc/apparmor.d/profile.name
Example:
sudo ln -s /etc/apparmor.d/bin.ping /etc/apparmor.d/disable/ sudo apparmor_parser -R /etc/apparmor.d/bin.ping
Enable one profile
By default, profiles are enabled (ie loaded into the kernel and applied to processes).
sudo rm /etc/apparmor.d/disable/profile.name sudo apparmor_parser -r /etc/apparmor.d/profile.name
Example:
sudo rm /etc/apparmor.d/disable/bin.ping sudo apparmor_parser -r /etc/apparmor.d/bin.ping
The aa-enforce command can also be used to enable a profile:
sudo aa-enforce /etc/apparmor.d/bin.ping
Profile customization
Profiles can found in /etc/apparmor.d. These are simple text files and can be edited either with a text editor, or by using aa-logprof.
Some customization can be made in /etc/apparmor.d/tunables/. When updating profiles, it is important to use these when appropriate. For example, rather than using a rule like:
/home/*/ r,
use:
@{HOME}/ r,After updating a profile, be sure to reload it (see above).
FAQ
aa-status reports processes that are unconfined but have a profile defined
Restart the listed processes. Rebooting will also fix the problem.
AppArmor can only track and protect processes that are started after the kernel module has been loaded. After the apparmor packages have been installed, apparmor will be started. But running processes won't be protected by AppArmor. Either restarting the processes or rebooting will fix this.
How can I enable AppArmor for Firefox?
Since Ubuntu 9.10 (Karmic), AppArmor ships with a profile for Firefox which is disabled by default.
You can enable it using the following command:
sudo aa-enforce /etc/apparmor.d/usr.bin.firefox
How do I make AppArmor work with a non-standard HOME directory?
The location of home directories can be tuned in /etc/apparmor.d/tunables/home.
With Ubuntu 10.04 LTS and above, you can set home directory locations using sudo dpkg-reconfigure apparmor.
Creating a new profile
Design a test plan
Try to think about how the application should be exercised. The test plan should be divided into small test cases. Each test case should have a small description and list the steps to follow.
Some standard test cases are :
- starting the program
- stopping the program
- reloading the program
- testing all the command supported by the init script
In the case of graphical programs, your test cases should also include anything you normally do. Downloading and opening files, saving files, uploading files, using plugins, saving configurations changes, and launching other programs are all possibilities.
Generate the new profile
Use aa-genprof to generate a new profile.
From a terminal, use the command aa-genprof:
sudo aa-genprof executable
Example:
sudo aa-genprof slapd
The man page has more information: man aa-genprof.
Include your new profile in apparmor-profiles package
To get your new profile included in the apparmor-profiles package, file a bug in Launchpad against the AppArmor package:
- Include your test plan and testcases.
- Attach your new profile to the bug.
Migrating an apparmor-profiles profile to a package
Please see https://wiki.ubuntu.com/ApparmorProfileMigration
Update profiles
When the program is misbehaving, audit messages are sent to the log files. The program aa-logprof can be used to scan log files for AppArmor audit messages, review them and update the profiles.
sudo aa-logprof
The man page has more information : man aa-logprof
Debug AppArmor problems
When filing bugs against an installed apparmor profile, please see: https://wiki.ubuntu.com/DebuggingApparmor
Resources
External Links