ContentsBRTableOfContents(2) |
Introduction
AppArmor is a Linux Security Module implementation of name-based access controls. AppArmor confines individual programs to a set of listed files and posix 1003.1e draft capabilities.
AppArmor was first made available to Ubuntu in Ubuntu 7.04 in Universe.
Installation
Ubuntu 7.04 (Feisty), Ubuntu 7.10 (Gutsy)
- Enable the Universe repository.
Install apparmor-modules-source and module-assistant packages. See InstallingSoftware.
- Compile the apparmor kernel module :
sudo m-a -v -t prepare sudo m-a -v -t -f build apparmor-modules sudo m-a -v -t install apparmor-modules
Install apparmor-profiles, apparmor-utils and apparmor packages. See InstallingSoftware.
Installing the latest version on feisty
To install the latest apparmor packages on feisty, the packages have to be rebuilt. See [https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/116627 latest apparmor utilities for feisty (LP #116627)].
Kernel upgrade
When a new kernel is installed, the apparmor module has to be recompiled :
sudo m-a -v -t -f build apparmor-modules sudo m-a -v -t install apparmor-modules
In order to make sure that all running processes are protected, the system has to be rebooted.
Usage
All the commands should be executed from a terminal.
List the current status of apparmor
sudo apparmor_status
Put a profile in complain mode / Disable a profile
sudo aa-complain /path/to/bin
Example:
sudo aa-complain /bin/ping
Put all profiles into complain mode / Disable all profiles
sudo aa-complain /etc/apparmor.d/*
Put a profile in enforce mode / Enable a profile
sudo aa-enforce /path/to/bin
Example:
sudo aa-enforce /bin/ping
Put all profiles in enforce mode / Enable all profiles
sudo aa-enforce /etc/apparmor.d/*
Disable AppArmor framework
sudo /etc/init.d/apparmor kill sudo update-rc.d -f apparmor remove
Enable AppArmor framework
sudo /etc/init.d/apparmor start sudo update-rc.d apparmor start 37 S .
Reload all profiles
sudo /etc/init.d/apparmor reload
Reload one profile
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r
Example:
cat /etc/apparmor.d/bin.ping | sudo apparmor_parser -r
Resources
[http://en.opensuse.org/AppArmor_Geeks Intro to AppArmor for Geeks] : detailed usage of apparmor.