Revision 5 as of 2007-07-09 14:14:11

Clear message

Introduction

AppArmor is a Linux Security Module implementation of name-based access controls. AppArmor confines individual programs to a set of listed files and posix 1003.1e draft capabilities.

AppArmor was first made available to Ubuntu in Ubuntu 7.04 in Universe.

Installation

Ubuntu 7.10 (Gutsy)

  • Enable the Universe repository.

  • Install apparmor-profiles, apparmor-utils and apparmor packages. See InstallingSoftware.

Ubuntu 7.04 (Feisty)

AppArmor is not included by default in the Feisty kernel. It needs to be compiled manually.

  • Enable the Universe repository.

  • Install apparmor-modules-source and module-assistant packages. See InstallingSoftware.

  • Compile the apparmor kernel module : 

sudo m-a -v -t prepare
sudo m-a -v -t -f build apparmor-modules
sudo m-a -v -t install apparmor-modules

Installing the latest version on feisty

To install the latest apparmor packages on feisty, the packages have to be rebuilt. See [https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/116627 latest apparmor utilities for feisty (LP #116627)].

Kernel upgrade / apparmor-module-source upgrade

When a new kernel is installed or when a new version of apparmor-module-source is installed, the apparmor module has to be recompiled : 

sudo m-a -v -t -f build apparmor-modules
sudo m-a -v -t install apparmor-modules

In order to make sure that all running processes are protected, the system has to be rebooted.

Usage

All the commands should be executed from a terminal.

List the current status of apparmor

sudo apparmor_status

Put a profile in complain mode / Disable a profile

sudo aa-complain /path/to/bin

Example: 

sudo aa-complain /bin/ping

Put all profiles into complain mode / Disable all profiles

sudo aa-complain /etc/apparmor.d/*

Put a profile in enforce mode / Enable a profile

sudo aa-enforce /path/to/bin

Example: 

sudo aa-enforce /bin/ping

Put all profiles in enforce mode / Enable all profiles

sudo aa-enforce /etc/apparmor.d/*

Disable AppArmor framework

sudo /etc/init.d/apparmor kill
sudo update-rc.d -f apparmor remove

Enable AppArmor framework

sudo /etc/init.d/apparmor start
sudo update-rc.d apparmor start 37 S .

Reload all profiles

sudo /etc/init.d/apparmor reload

Reload one profile

cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r

Example: 

cat /etc/apparmor.d/bin.ping | sudo apparmor_parser -r

Resources

[http://en.opensuse.org/AppArmor_Geeks Intro to AppArmor for Geeks] : detailed usage of apparmor.

CategoryDocumentation