diff options
Diffstat (limited to 'core/apparmor.html')
| -rw-r--r-- | core/apparmor.html | 106 |
1 files changed, 106 insertions, 0 deletions
diff --git a/core/apparmor.html b/core/apparmor.html new file mode 100644 index 0000000..e44acef --- /dev/null +++ b/core/apparmor.html @@ -0,0 +1,106 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>2.2.1. AppArmor</title> + </head> + <body> + + <a href="index.html">Core OS Index</a> + + <h1>2.2.1. AppArmor</h1> + + <p>Check <a href="linux.html#configure">kernel configuration</a> or + use the provided with <a href="reboot.html#linux">linux-gnu</a> port + to support apparmor. <a href="https://gitlab.com/apparmor/apparmor/wikis/home">AppArmor</a> enforce rules on applications based + on security policies. User space tools are provided by apparmor port + and its dependencies, install them;</p> + + <pre> + $ sudo prt-get depinst apparmor + </pre> + + <p>Enable apparmor on linux by command line, create /etc/default/grub;</p> + + <pre> + GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor" + </pre> + + <p>Add SecurityFS to /etc/fstab;</p> + + <pre> + none /sys/kernel/security securityfs defaults 0 0 + </pre> + + <p>Check status;</p> + + <pre> + # apparmor_status + </pre> + + <p>Utilities;</p> + + <pre> + aa-audit aa-disable aa-genprof aa-status + aa-autodep aa-easyprof aa-logprof aa-unconfined + aa-cleanprof aa-enabled aa-mergeprof + aa-complain aa-enforce aa-notify + aa-decode aa-exec aa-remove-unknown + </pre> + + <p>apparmor_parser options;</p> + + <pre> + Usage: apparmor_parser [options] [profile] + + Options: + -------- + -a, --add Add apparmor definitions [default] + -r, --replace Replace apparmor definitions + -R, --remove Remove apparmor definitions + -C, --Complain Force the profile into complain mode + -B, --binary Input is precompiled profile + -N, --names Dump names of profiles in input. + -S, --stdout Dump compiled profile to stdout + -o n, --ofile n Write output to file n + -b n, --base n Set base dir and cwd + -I n, --Include n Add n to the search path + -f n, --subdomainfs n Set location of apparmor filesystem + -m n, --match-string n Use only features n + -M n, --features-file n Use only features in file n + -n n, --namespace n Set Namespace for the profile + -X, --readimpliesX Map profile read permissions to mr + -k, --show-cache Report cache hit/miss details + -K, --skip-cache Do not attempt to load or save cached profiles + -T, --skip-read-cache Do not attempt to load cached profiles + -W, --write-cache Save cached profile (force with -T) + --skip-bad-cache Don't clear cache if out of sync + --purge-cache Clear cache regardless of its state + --debug-cache Debug cache file checks + -L, --cache-loc n Set the location of the profile cache + -q, --quiet Don't emit warnings + -v, --verbose Show profile names as they load + -Q, --skip-kernel-load Do everything except loading into kernel + -V, --version Display version info and exit + -d [n], --debug Debug apparmor definitions OR [n] + -p, --preprocess Dump preprocessed profile + -D [n], --dump Dump internal info for debugging + -O [n], --Optimize Control dfa optimizations + -h [cmd], --help[=cmd] Display this text or info about cmd + -j n, --jobs n Set the number of compile threads + --max-jobs n Hard cap on --jobs. Default 8*cpus + --abort-on-error Abort processing of profiles on first error + --skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel + --warn n Enable warnings (see --help=warn) + </pre> + # + + <a href="index.html">Core OS Index</a> + <p>This is part of the c9 Manual. + Copyright (C) 2018 + c9 team. + See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> + + </body> +</html> |