|
Size: 3129
Comment:
|
Size: 3680
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 53: | Line 53: |
| == Put a profile in complain mode / Disable a profile == | == Put a profile in complain mode == |
| Line 65: | Line 65: |
| == Put all profiles into complain mode / Disable all profiles == | == Put all profiles into complain mode == |
| Line 71: | Line 71: |
| == Put a profile in enforce mode / Enable a profile == | == Put a profile in enforce mode == |
| Line 82: | Line 82: |
| == Put all profiles in enforce mode / Enable all profiles == | == Put all profiles in enforce mode == |
| Line 115: | Line 115: |
| Line 117: | Line 118: |
| }}} == Disable one profile == {{{ ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/ apparmor_parser -R /etc/apparmor.d/profile.name }}} Example: {{{ ln -s /etc/apparmor.d/bin.ping /etc/apparmor.d/disable/ apparmor_parser -R /etc/apparmor.d/bin.ping }}} == Enable one profile == By default, profiles are enabled (ie loaded into the kernel and applied to processes). {{{ rm /etc/apparmor.d/disable/profile.name cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a }}} Example: {{{ rm /etc/apparmor.d/disable/bin.ping cat /etc/apparmor.d/bin.ping | sudo apparmor_parser -a |
ContentsBRTableOfContents(2) |
Introduction
AppArmor is a Linux Security Module implementation of name-based access controls. AppArmor confines individual programs to a set of listed files and posix 1003.1e draft capabilities.
AppArmor was first made available to Ubuntu in Ubuntu 7.04 in Universe.
Installation
Ubuntu 7.10 (Gutsy)
- Enable the Universe repository.
Install apparmor-profiles, apparmor-utils and apparmor packages. See InstallingSoftware.
Ubuntu 7.04 (Feisty)
AppArmor is not included by default in the Feisty kernel. It needs to be compiled manually.
- Enable the Universe repository.
Install apparmor-modules-source and module-assistant packages. See InstallingSoftware.
- Compile the apparmor kernel module :
sudo m-a -v -t prepare sudo m-a -v -t -f build apparmor-modules sudo m-a -v -t install apparmor-modules
Install apparmor-profiles, apparmor-utils and apparmor packages. See InstallingSoftware.
Installing the latest version on feisty
To install the latest apparmor packages on feisty, the packages have to be rebuilt. See [https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/116627 latest apparmor utilities for feisty (LP #116627)].
Kernel upgrade / apparmor-module-source upgrade
When a new kernel is installed or when a new version of apparmor-module-source is installed, the apparmor module has to be recompiled :
sudo m-a -v -t -f build apparmor-modules sudo m-a -v -t install apparmor-modules
In order to make sure that all running processes are protected, the system has to be rebooted.
Usage
All the commands should be executed from a terminal.
List the current status of apparmor
sudo apparmor_status
Put a profile in complain mode
sudo aa-complain /path/to/bin
Example:
sudo aa-complain /bin/ping
Put all profiles into complain mode
sudo aa-complain /etc/apparmor.d/*
Put a profile in enforce mode
sudo aa-enforce /path/to/bin
Example:
sudo aa-enforce /bin/ping
Put all profiles in enforce mode
sudo aa-enforce /etc/apparmor.d/*
Disable AppArmor framework
sudo /etc/init.d/apparmor kill sudo update-rc.d -f apparmor remove
Enable AppArmor framework
sudo /etc/init.d/apparmor start sudo update-rc.d apparmor start 37 S .
Reload all profiles
sudo /etc/init.d/apparmor reload
Reload one profile
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r
Example:
cat /etc/apparmor.d/bin.ping | sudo apparmor_parser -r
Disable one profile
ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/ apparmor_parser -R /etc/apparmor.d/profile.name
Example:
ln -s /etc/apparmor.d/bin.ping /etc/apparmor.d/disable/ apparmor_parser -R /etc/apparmor.d/bin.ping
Enable one profile
By default, profiles are enabled (ie loaded into the kernel and applied to processes).
rm /etc/apparmor.d/disable/profile.name cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
Example:
rm /etc/apparmor.d/disable/bin.ping cat /etc/apparmor.d/bin.ping | sudo apparmor_parser -a
Resources
[http://en.opensuse.org/AppArmor_Geeks Intro to AppArmor for Geeks] : detailed usage of apparmor.