<!DOCTYPE html>
<html dir="ltr" lang="en">
<head>
<meta charset='utf-8'>
<title>2.6.1. AppArmor</title>
</head>
<body>
<a href="index.html">Core OS Index</a>
<h1>2.6.1. AppArmor</h1>
<p>Check <a href="linux.html#configure">kernel configuration</a> or
use the provided with <a href="reboot.html#linux">linux-gnu</a> port
to support apparmor. <a href="https://gitlab.com/apparmor/apparmor/wikis/home">AppArmor</a> enforce rules on applications based
on security policies. User space tools are provided by apparmor port
and its dependencies, install them;</p>
<pre>
$ sudo prt-get depinst apparmor
</pre>
<p>Enable apparmor on linux by command line, create /etc/default/grub;</p>
<pre>
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"
</pre>
<p>Add SecurityFS to /etc/fstab;</p>
<pre>
none /sys/kernel/security securityfs defaults 0 0
</pre>
<p>Check status;</p>
<pre>
# apparmor_status
</pre>
<p>Utilities;</p>
<pre>
aa-audit aa-disable aa-genprof aa-status
aa-autodep aa-easyprof aa-logprof aa-unconfined
aa-cleanprof aa-enabled aa-mergeprof
aa-complain aa-enforce aa-notify
aa-decode aa-exec aa-remove-unknown
</pre>
<h2 id="profiles">Profiles</h2>
<p>Profiles are located at /etc/apparmor.d/ and
/usr/share/apparmor/extra-profiles contain profiles
that require testing;</p>
<pre>
# cp -r /usr/share/apparmor/extra-profiles/* /etc/apparmor.d/
# sudo rm /etc/apparmor.d/README
# bash /etc/rc.d/apparmor restart
</pre>
<p>Profiles are parsed using
apparmor_parser;</p>
<pre>
Usage: apparmor_parser [options] [profile]
Options:
--------
-a, --add Add apparmor definitions [default]
-r, --replace Replace apparmor definitions
-R, --remove Remove apparmor definitions
-C, --Complain Force the profile into complain mode
-B, --binary Input is precompiled profile
-N, --names Dump names of profiles in input.
-S, --stdout Dump compiled profile to stdout
-o n, --ofile n Write output to file n
-b n, --base n Set base dir and cwd
-I n, --Include n Add n to the search path
-f n, --subdomainfs n Set location of apparmor filesystem
-m n, --match-string n Use only features n
-M n, --features-file n Use only features in file n
-n n, --namespace n Set Namespace for the profile
-X, --readimpliesX Map profile read permissions to mr
-k, --show-cache Report cache hit/miss details
-K, --skip-cache Do not attempt to load or save cached profiles
-T, --skip-read-cache Do not attempt to load cached profiles
-W, --write-cache Save cached profile (force with -T)
--skip-bad-cache Don't clear cache if out of sync
--purge-cache Clear cache regardless of its state
--debug-cache Debug cache file checks
-L, --cache-loc n Set the location of the profile cache
-q, --quiet Don't emit warnings
-v, --verbose Show profile names as they load
-Q, --skip-kernel-load Do everything except loading into kernel
-V, --version Display version info and exit
-d [n], --debug Debug apparmor definitions OR [n]
-p, --preprocess Dump preprocessed profile
-D [n], --dump Dump internal info for debugging
-O [n], --Optimize Control dfa optimizations
-h [cmd], --help[=cmd] Display this text or info about cmd
-j n, --jobs n Set the number of compile threads
--max-jobs n Hard cap on --jobs. Default 8*cpus
--abort-on-error Abort processing of profiles on first error
--skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel
--warn n Enable warnings (see --help=warn)
</pre>
<h3 id="auto_profiles">Create profile with audit</h3>
<p>Tools use log as a source to build profiles, it is
necessary to disable log rate limit;</p>
<pre>
# sysctl -w kernel.printk_ratelimit=0
</pre>
<p>Start aa-genprof;</p>
<pre>
$ sudo aa-genprof /usr/bin/lynx
</pre>
<p>Execute application with all common application options
and parts. After initial automatic configuration enable profile in
complain mode. Use aa-logprof when rules need to be adapted.</p>
<pre>
# aa-logprof -f /var/log/kernel
</pre>
<p>Once profile rules become well defined enable profile in
enforce mode with aa-enforce;</p>
<p>Monitor logs with aa-notify;</p>
<pre>
# aa-notify --file=/var/log/kernel -u username -l
</pre>
<p>And keep adjusting the rules with logprof;</p>
<pre>
# aa-logprof -f /var/log/kernel
</pre>
<h3 id="man_profiles">Create profile manually</h3>
<p>To create a new profile, let's say for lynx,
first find where the application is;</p>
<pre>
$ whereis lynx
lynx: /usr/bin/lynx /usr/etc/lynx.lss /usr/etc/lynx.cfg /usr/etc/lynx.cfg~ /usr/share/man/man1/lynx.1.gz
</pre>
<p>Now create a file with path to executable in
/etc/apparmor.d;</p>
<pre>
# vim /etc/apparmor.d/usr.bin.lynx
</pre>
<p>Create basic profile template;</p>
<pre>
#include <tunables/global>
profile lynx /usr/bin/lynx {
#include <abstractions/base>
}
</pre>
<h3>Seed up profile loading</h3>
<p>Every time apparmor loads a profile in text it needs
to compile into binary format, this takes some time if
there is many profiles to load at boot time. To optimize
edit /etc/apparmor/parser.conf;</p>
<pre>
## Turn creating/updating of the cache on by default
write-cache
</pre>
<p>To change default location add;</p>
<pre>
chache-loc=/var/cache/apparmor
</pre>
<a href="index.html">Core OS Index</a>
<p>This is part of the Hive System Documentation.
Copyright (C) 2019
Hive Team.
See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
for copying conditions.</p>
</body>
</html>