Introduction

AppArmor is a Linux Security Module implementation of name-based access controls. AppArmor confines individual programs to a set of listed files and posix 1003.1e draft capabilities.

AppArmor was first made available to Ubuntu in Ubuntu 7.04 in Universe.

Installation

Ubuntu 7.10 (Gutsy)

• Enable the Universe repository.

• Install apparmor-profiles, apparmor-utils and apparmor packages. See InstallingSoftware.

Ubuntu 7.04 (Feisty)

AppArmor is not included by default in the Feisty kernel. It needs to be compiled manually.

• Enable the Universe repository.

• Install apparmor-modules-source and module-assistant packages. See InstallingSoftware.

• Compile the apparmor kernel module :

sudo m-a -v -t prepare
sudo m-a -v -t -f build apparmor-modules
sudo m-a -v -t install apparmor-modules

• Install apparmor-profiles, apparmor-utils and apparmor packages. See InstallingSoftware.

Installing the latest version

To install the latest apparmor packages on feisty, the packages have to be rebuilt. See [https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/116627 latest apparmor utilities for feisty (LP #116627)].

Kernel upgrade / apparmor-module-source upgrade

When a new kernel is installed or when a new version of apparmor-module-source is installed, the apparmor module has to be recompiled :

sudo m-a -v -t -f build apparmor-modules
sudo m-a -v -t install apparmor-modules

In order to make sure that all running processes are protected, the system has then to be rebooted.

Usage

All the commands should be executed from a terminal.

List the current status of apparmor

sudo apparmor_status

Put a profile in complain mode

sudo aa-complain /path/to/bin

Example:

sudo aa-complain /bin/ping

Put all profiles into complain mode

sudo aa-complain /etc/apparmor.d/*

Put a profile in enforce mode

sudo aa-enforce /path/to/bin

Example:

sudo aa-enforce /bin/ping

Put all profiles in enforce mode

sudo aa-enforce /etc/apparmor.d/*

Disable AppArmor framework

sudo /etc/init.d/apparmor kill
sudo update-rc.d -f apparmor remove

Enable AppArmor framework

sudo /etc/init.d/apparmor start
sudo update-rc.d apparmor start 37 S .

Reload all profiles

sudo /etc/init.d/apparmor reload

Reload one profile

cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r

Example:

cat /etc/apparmor.d/bin.ping | sudo apparmor_parser -r

Disable one profile

 ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/
 apparmor_parser -R /etc/apparmor.d/profile.name

Example:

 ln -s /etc/apparmor.d/bin.ping /etc/apparmor.d/disable/
 apparmor_parser -R /etc/apparmor.d/bin.ping

Enable one profile

By default, profiles are enabled (ie loaded into the kernel and applied to processes).

 rm /etc/apparmor.d/disable/profile.name
 cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a

Example:

 rm /etc/apparmor.d/disable/bin.ping
 cat /etc/apparmor.d/bin.ping | sudo apparmor_parser -a

FAQ

apparmor_status reports processes that are unconfined but have a profile defined

Restart the listed processes. Rebooting will also fix the problem.

AppArmor can only track and protect processes that are started after the kernel module has been loaded. After the apparmor packages have been installed, apparmor will be started. But running processes won't be protected by AppArmor. Either restarting the processes or rebooting will fix this.

Resources

[http://en.opensuse.org/AppArmor_Geeks Intro to AppArmor for Geeks] : detailed usage of apparmor.

CategoryDocumentation