path: root/core/apparmor.html



<!DOCTYPE html>
<html dir="ltr" lang="en">
    <head>
	<meta charset='utf-8'>
	<title>2.6.1. AppArmor</title>
    </head>
    <body>

	<a href="index.html">Core OS Index</a>

	<h1>2.6.1. AppArmor</h1>

	<p>Check <a href="linux.html#configure">kernel configuration</a> or
	use the provided with <a href="reboot.html#linux">linux-gnu</a> port
	to support apparmor. <a href="https://gitlab.com/apparmor/apparmor/wikis/home">AppArmor</a> enforce rules on applications based
	on security policies.</p>


	<h2 id="install">2.6.1.1 Install</h2>

	<p>User space tools are provided by apparmor port
	and its dependencies, install them;</p>

	<pre>
	$ sudo prt-get depinst apparmor
	</pre>

	<p>Enable apparmor on linux by command line, create /etc/default/grub;</p>

	<pre>
	GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"
	</pre>

	<p>Add SecurityFS to /etc/fstab;</p>

	<pre>
	none /sys/kernel/security securityfs defaults 0 0
	</pre>

	<p>Check status;</p>

	<pre>
	# apparmor_status
	</pre>

	<p>Utilities;</p>

	<pre>
	aa-audit           aa-disable         aa-genprof         aa-status
	aa-autodep         aa-easyprof        aa-logprof         aa-unconfined
	aa-cleanprof       aa-enabled         aa-mergeprof
	aa-complain        aa-enforce         aa-notify
	aa-decode          aa-exec            aa-remove-unknown
	</pre>

	<h2 id="configure">6.2.1.2 Configure</h2>

	<p>Profiles are located at /etc/apparmor.d/ and
	/usr/share/apparmor/extra-profiles contain profiles
	that require testing;</p>

	<pre>
	# cp -r /usr/share/apparmor/extra-profiles/* /etc/apparmor.d/
	# sudo rm /etc/apparmor.d/README
	# bash /etc/rc.d/apparmor restart
	</pre>

	<h2 id="profiles">6.2.1.3 Profiles</h2>

	<p>Profiles are parsed using
	apparmor_parser;</p>

	<pre>
	Usage: apparmor_parser [options] [profile]

	Options:
	--------
	-a, --add               Add apparmor definitions [default]
	-r, --replace           Replace apparmor definitions
	-R, --remove            Remove apparmor definitions
	-C, --Complain          Force the profile into complain mode
	-B, --binary            Input is precompiled profile
	-N, --names             Dump names of profiles in input.
	-S, --stdout            Dump compiled profile to stdout
	-o n, --ofile n         Write output to file n
	-b n, --base n          Set base dir and cwd
	-I n, --Include n       Add n to the search path
	-f n, --subdomainfs n   Set location of apparmor filesystem
	-m n, --match-string n  Use only features n
	-M n, --features-file n Use only features in file n
	-n n, --namespace n     Set Namespace for the profile
	-X, --readimpliesX      Map profile read permissions to mr
	-k, --show-cache        Report cache hit/miss details
	-K, --skip-cache        Do not attempt to load or save cached profiles
	-T, --skip-read-cache   Do not attempt to load cached profiles
	-W, --write-cache       Save cached profile (force with -T)
	    --skip-bad-cache    Don't clear cache if out of sync
	    --purge-cache       Clear cache regardless of its state
	    --debug-cache       Debug cache file checks
	-L, --cache-loc n       Set the location of the profile cache
	-q, --quiet             Don't emit warnings
	-v, --verbose           Show profile names as they load
	-Q, --skip-kernel-load  Do everything except loading into kernel
	-V, --version           Display version info and exit
	-d [n], --debug         Debug apparmor definitions OR [n]
	-p, --preprocess        Dump preprocessed profile
	-D [n], --dump          Dump internal info for debugging
	-O [n], --Optimize      Control dfa optimizations
	-h [cmd], --help[=cmd]  Display this text or info about cmd
	-j n, --jobs n          Set the number of compile threads
	--max-jobs n            Hard cap on --jobs. Default 8*cpus
	--abort-on-error        Abort processing of profiles on first error
	--skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel
	--warn n                Enable warnings (see --help=warn)
	</pre>

	<h2 id="audit">2.6.1.4 Profile with audit</h2>

	<p>Tools use log as a source to build profiles, it is
	necessary to disable log rate limit;</p>

	<pre>
	# sysctl -w kernel.printk_ratelimit=0
	</pre>

	<p>Start aa-genprof;</p>

	<pre>
	$ sudo aa-genprof /usr/bin/lynx
	</pre>

	<p>Execute application with all common application options
	and parts. After initial automatic configuration enable profile in
	complain mode.</p>

	<pre>
	$ sudo aa-complain lynx
	</pre>

	<p>Use aa-logprof when rules need to be adapted.</p>

	<pre>
	# aa-logprof -f /var/log/kernel
	</pre>

	<p>Reload profile with the new settings;</p>

	<pre>
	# apparmor_parser -r lynx
	</pre>

	<p>Once profile rules become well defined enable profile in
	enforce mode with aa-enforce;</p>

	<p>Monitor logs with aa-notify;</p>

	<pre>
	# aa-notify --file=/var/log/kernel -u username -l
	</pre>

	<p>And keep adjusting the rules with logprof;</p>

	<pre>
	# aa-logprof -f /var/log/kernel
	</pre>

        <p>Apparmor will give several options such as;</p>

        <dl>
            <dt>Inherit ix</dt><dd>Creates a rule that is denoted by ix within the profile, causes the executed binary to inherit permissions from the parent profile.</dd>
            <dt>Child cx</dt><dd>Creates a rule that is denoted by within the profile, requires a sub-profile to be created within the parent profile and rules must be separately generated for this child (prompts will appear when running scans on the parent).</dd>
        </dl>

	<h2 id="edit">2.6.1.5 Edit profiles</h2>

	<h3>File Globing</h3>

	<dl>
	    <dt>/dir/file</dt><dd>match a specific file</dd>
	    <dt>/dir/*</dt><dd>match any files in a directory (including dot files)</dd>
	    <dt>/dir/a*</dt><dd>match any file in a directory starting with 'a'</dd>
	    <dt>/dir/*.png</dt><dd>match any file in a directory ending with '.png'</dd>
	    <dt>/dir/[^.]*</dt><dd>match any file in a directory except dot files</dd>
	    <dt>/dir/</dt><dd>match a directory</dd>
	    <dt>/dir/*/</dt><dd>match any directory within /dir/</dd>
	    <dt>/dir/a*/</dt><dd>match any directory within /dir/ starting with a</dd>
	    <dt>/dir/*a/</dt><dd>match any directory within /dir/ ending with a</dd>
	    <dt>/dir/**</dt><dd>match any file or directory in or below /dir/</dd>
	    <dt>/dir/**/</dt><dd>match any directory in or below /dir/</dd>
	    <dt>/dir/**[^/]</dt><dd>match any file in or below /dir/</dd>
	    <dt>/dir{,1,2}/**</dt><dd> - match any file or directory in or below /dir/, /dir1/, and /dir2/</dd>
	</dl>

	<h3>File Permissions</h3>

	<dl>
	    <dt>r</dt><dd>read</dd>
	    <dt>w</dt><dd>write</dd>
	    <dt>a</dt><dd>append (implied by w)</dd>
	    <dt>m</dt><dd>memory map executable</dd>
	    <dt>k</dt><dd>lock (requires r or w, AppArmor 2.1 and later)</dd>
	    <dt>l</dt><dd>link</dd>

	    <dt>x</dt><dd>execute</dd>
	</dl>

	<dl>
	    <dt>ux</dt><dd>Execute unconfined (preserve environment) -- WARNING: should only be used in very special cases</dd>
	    <dt>Ux</dt><dd>Execute unconfined (scrub the environment)</dd>
	    <dt>px</dt><dd>Execute under a specific profile (preserve the environment) -- WARNING: should only be used in special cases</dd>
	    <dt>Px</dt><dd>Execute under a specific profile (scrub the environment)</dd>
	    <dt>pix</dt><dd>as px but fallback to inheriting the current profile if the target profile is not found</dd>
	    <dt>Pix</dt><dd>as Px but fallback to inheriting the current profile if the target profile is not found</dd>
	    <dt>pux</dt><dd>as px but fallback to executing unconfined if the target profile is not found</dd>
	    <dt>Pux</dt><dd>as Px but fallback to executing unconfined if the target profile is not found</dd>
	    <dt>ix<dt><dd>Execute and inherit the current profile</dd>
	    <dt>cx<dt><dd>Execute and transition to a child profile (preserve the environment)</dd>
	    <dt>Cx<dt><dd>Execute and transition to a child profile (scrub the environment)</dd>
	    <dt>cix<dt><dd>as cx but fallback to inheriting the current profile if the target profile is not found</dd>
	    <dt>Cix<dt><dd>as Cx but fallback to inheriting the current profile if the target profile is not found</dd>
	    <dt>cux<dt><dd>as cx but fallback to executing unconfined if the target profile is not found</dd>
	    <dt>Cux<dt><dd>as Cx but fallback to executing unconfined if the target profile is not found</dd>
	</dl>

	<p>The owner keyword can be used as a qualifier making permission conditional on owning the file (process fsuid == file's uid).</p>

	<p>Read <a href="https://gitlab.com/apparmor/apparmor/-/wikis/QuickProfileLanguage">Profile Language</a> for more information.</p>

	<h2 id="speedup">2.6.1.6 Speedup startup</h2>

	<p>Every time apparmor loads a profile in text it needs
	to compile into binary format, this takes some time if
	there is many profiles to load at boot time. To optimize
	edit /etc/apparmor/parser.conf;</p>

	<pre>
	## Turn creating/updating of the cache on by default
	write-cache
	</pre>

	<p>To change default location add;</p>

	<pre>
	chache-loc=/var/cache/apparmor
	</pre>

	<a href="index.html">Core OS Index</a>
	<p>This is part of the Tribu System Documentation.
	Copyright (C) 2020
	Tribu Team.
	See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
	for copying conditions.</p>

    </body>
</html>
<!DOCTYPE html>
<html dir="ltr" lang="en">
    <head>
	<meta charset='utf-8'>
	<title>2.6.1. AppArmor</title>
    </head>
    <body>

	<a href="index.html">Core OS Index</a>

	<h1>2.6.1. AppArmor</h1>

	<p>Check <a href="linux.html#configure">kernel configuration</a> or
	use the provided with <a href="reboot.html#linux">linux-gnu</a> port
	to support apparmor. <a href="https://gitlab.com/apparmor/apparmor/wikis/home">AppArmor</a> enforce rules on applications based
	on security policies.</p>


	<h2 id="install">2.6.1.1 Install</h2>

	<p>User space tools are provided by apparmor port
	and its dependencies, install them;</p>

	<pre>
	$ sudo prt-get depinst apparmor
	</pre>

	<p>Enable apparmor on linux by command line, create /etc/default/grub;</p>

	<pre>
	GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"
	</pre>

	<p>Add SecurityFS to /etc/fstab;</p>

	<pre>
	none /sys/kernel/security securityfs defaults 0 0
	</pre>

	<p>Check status;</p>

	<pre>
	# apparmor_status
	</pre>

	<p>Utilities;</p>

	<pre>
	aa-audit           aa-disable         aa-genprof         aa-status
	aa-autodep         aa-easyprof        aa-logprof         aa-unconfined
	aa-cleanprof       aa-enabled         aa-mergeprof
	aa-complain        aa-enforce         aa-notify
	aa-decode          aa-exec            aa-remove-unknown
	</pre>

	<h2 id="configure">6.2.1.2 Configure</h2>

	<p>Profiles are located at /etc/apparmor.d/ and
	/usr/share/apparmor/extra-profiles contain profiles
	that require testing;</p>

	<pre>
	# cp -r /usr/share/apparmor/extra-profiles/* /etc/apparmor.d/
	# sudo rm /etc/apparmor.d/README
	# bash /etc/rc.d/apparmor restart
	</pre>

	<h2 id="profiles">6.2.1.3 Profiles</h2>

	<p>Profiles are parsed using
	apparmor_parser;</p>

	<pre>
	Usage: apparmor_parser [options] [profile]

	Options:
	--------
	-a, --add               Add apparmor definitions [default]
	-r, --replace           Replace apparmor definitions
	-R, --remove            Remove apparmor definitions
	-C, --Complain          Force the profile into complain mode
	-B, --binary            Input is precompiled profile
	-N, --names             Dump names of profiles in input.
	-S, --stdout            Dump compiled profile to stdout
	-o n, --ofile n         Write output to file n
	-b n, --base n          Set base dir and cwd
	-I n, --Include n       Add n to the search path
	-f n, --subdomainfs n   Set location of apparmor filesystem
	-m n, --match-string n  Use only features n
	-M n, --features-file n Use only features in file n
	-n n, --namespace n     Set Namespace for the profile
	-X, --readimpliesX      Map profile read permissions to mr
	-k, --show-cache        Report cache hit/miss details
	-K, --skip-cache        Do not attempt to load or save cached profiles
	-T, --skip-read-cache   Do not attempt to load cached profiles
	-W, --write-cache       Save cached profile (force with -T)
	    --skip-bad-cache    Don't clear cache if out of sync
	    --purge-cache       Clear cache regardless of its state
	    --debug-cache       Debug cache file checks
	-L, --cache-loc n       Set the location of the profile cache
	-q, --quiet             Don't emit warnings
	-v, --verbose           Show profile names as they load
	-Q, --skip-kernel-load  Do everything except loading into kernel
	-V, --version           Display version info and exit
	-d [n], --debug         Debug apparmor definitions OR [n]
	-p, --preprocess        Dump preprocessed profile
	-D [n], --dump          Dump internal info for debugging
	-O [n], --Optimize      Control dfa optimizations
	-h [cmd], --help[=cmd]  Display this text or info about cmd
	-j n, --jobs n          Set the number of compile threads
	--max-jobs n            Hard cap on --jobs. Default 8*cpus
	--abort-on-error        Abort processing of profiles on first error
	--skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel
	--warn n                Enable warnings (see --help=warn)
	</pre>

	<h2 id="audit">2.6.1.4 Profile with audit</h2>

	<p>Tools use log as a source to build profiles, it is
	necessary to disable log rate limit;</p>

	<pre>
	# sysctl -w kernel.printk_ratelimit=0
	</pre>

	<p>Start aa-genprof;</p>

	<pre>
	$ sudo aa-genprof /usr/bin/lynx
	</pre>

	<p>Execute application with all common application options
	and parts. After initial automatic configuration enable profile in
	complain mode.</p>

	<pre>
	$ sudo aa-complain lynx
	</pre>

	<p>Use aa-logprof when rules need to be adapted.</p>

	<pre>
	# aa-logprof -f /var/log/kernel
	</pre>

	<p>Reload profile with the new settings;</p>

	<pre>
	# apparmor_parser -r lynx
	</pre>

	<p>Once profile rules become well defined enable profile in
	enforce mode with aa-enforce;</p>

	<p>Monitor logs with aa-notify;</p>

	<pre>
	# aa-notify --file=/var/log/kernel -u username -l
	</pre>

	<p>And keep adjusting the rules with logprof;</p>

	<pre>
	# aa-logprof -f /var/log/kernel
	</pre>

        <p>Apparmor will give several options such as;</p>

        <dl>
            <dt>Inherit ix</dt><dd>Creates a rule that is denoted by ix within the profile, causes the executed binary to inherit permissions from the parent profile.</dd>
            <dt>Child cx</dt><dd>Creates a rule that is denoted by within the profile, requires a sub-profile to be created within the parent profile and rules must be separately generated for this child (prompts will appear when running scans on the parent).</dd>
        </dl>

	<h2 id="edit">2.6.1.5 Edit profiles</h2>

	<h3>File Globing</h3>

	<dl>
	    <dt>/dir/file</dt><dd>match a specific file</dd>
	    <dt>/dir/*</dt><dd>match any files in a directory (including dot files)</dd>
	    <dt>/dir/a*</dt><dd>match any file in a directory starting with 'a'</dd>
	    <dt>/dir/*.png</dt><dd>match any file in a directory ending with '.png'</dd>
	    <dt>/dir/[^.]*</dt><dd>match any file in a directory except dot files</dd>
	    <dt>/dir/</dt><dd>match a directory</dd>
	    <dt>/dir/*/</dt><dd>match any directory within /dir/</dd>
	    <dt>/dir/a*/</dt><dd>match any directory within /dir/ starting with a</dd>
	    <dt>/dir/*a/</dt><dd>match any directory within /dir/ ending with a</dd>
	    <dt>/dir/**</dt><dd>match any file or directory in or below /dir/</dd>
	    <dt>/dir/**/</dt><dd>match any directory in or below /dir/</dd>
	    <dt>/dir/**[^/]</dt><dd>match any file in or below /dir/</dd>
	    <dt>/dir{,1,2}/**</dt><dd> - match any file or directory in or below /dir/, /dir1/, and /dir2/</dd>
	</dl>

	<h3>File Permissions</h3>

	<dl>
	    <dt>r</dt><dd>read</dd>
	    <dt>w</dt><dd>write</dd>
	    <dt>a</dt><dd>append (implied by w)</dd>
	    <dt>m</dt><dd>memory map executable</dd>
	    <dt>k</dt><dd>lock (requires r or w, AppArmor 2.1 and later)</dd>
	    <dt>l</dt><dd>link</dd>

	    <dt>x</dt><dd>execute</dd>
	</dl>

	<dl>
	    <dt>ux</dt><dd>Execute unconfined (preserve environment) -- WARNING: should only be used in very special cases</dd>
	    <dt>Ux</dt><dd>Execute unconfined (scrub the environment)</dd>
	    <dt>px</dt><dd>Execute under a specific profile (preserve the environment) -- WARNING: should only be used in special cases</dd>
	    <dt>Px</dt><dd>Execute under a specific profile (scrub the environment)</dd>
	    <dt>pix</dt><dd>as px but fallback to inheriting the current profile if the target profile is not found</dd>
	    <dt>Pix</dt><dd>as Px but fallback to inheriting the current profile if the target profile is not found</dd>
	    <dt>pux</dt><dd>as px but fallback to executing unconfined if the target profile is not found</dd>
	    <dt>Pux</dt><dd>as Px but fallback to executing unconfined if the target profile is not found</dd>
	    <dt>ix<dt><dd>Execute and inherit the current profile</dd>
	    <dt>cx<dt><dd>Execute and transition to a child profile (preserve the environment)</dd>
	    <dt>Cx<dt><dd>Execute and transition to a child profile (scrub the environment)</dd>
	    <dt>cix<dt><dd>as cx but fallback to inheriting the current profile if the target profile is not found</dd>
	    <dt>Cix<dt><dd>as Cx but fallback to inheriting the current profile if the target profile is not found</dd>
	    <dt>cux<dt><dd>as cx but fallback to executing unconfined if the target profile is not found</dd>
	    <dt>Cux<dt><dd>as Cx but fallback to executing unconfined if the target profile is not found</dd>
	</dl>

	<p>The owner keyword can be used as a qualifier making permission conditional on owning the file (process fsuid == file's uid).</p>

	<p>Read <a href="https://gitlab.com/apparmor/apparmor/-/wikis/QuickProfileLanguage">Profile Language</a> for more information.</p>

	<h2 id="speedup">2.6.1.6 Speedup startup</h2>

	<p>Every time apparmor loads a profile in text it needs
	to compile into binary format, this takes some time if
	there is many profiles to load at boot time. To optimize
	edit /etc/apparmor/parser.conf;</p>

	<pre>
	## Turn creating/updating of the cache on by default
	write-cache
	</pre>

	<p>To change default location add;</p>

	<pre>
	chache-loc=/var/cache/apparmor
	</pre>

	<a href="index.html">Core OS Index</a>
	<p>This is part of the Tribu System Documentation.
	Copyright (C) 2020
	Tribu Team.
	See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
	for copying conditions.</p>

    </body>
</html>