diff options
Diffstat (limited to 'core/apparmor.html')
-rw-r--r-- | core/apparmor.html | 255 |
1 files changed, 0 insertions, 255 deletions
diff --git a/core/apparmor.html b/core/apparmor.html deleted file mode 100644 index fcb34fe..0000000 --- a/core/apparmor.html +++ /dev/null @@ -1,255 +0,0 @@ -<!DOCTYPE html> -<html dir="ltr" lang="en"> - <head> - <meta charset='utf-8'> - <title>2.6.1. AppArmor</title> - </head> - <body> - - <a href="index.html">Core OS Index</a> - - <h1>2.6.1. AppArmor</h1> - - <p>Check <a href="linux.html#configure">kernel configuration</a> or - use the provided with <a href="reboot.html#linux">linux-gnu</a> port - to support apparmor. <a href="https://gitlab.com/apparmor/apparmor/wikis/home">AppArmor</a> enforce rules on applications based - on security policies.</p> - - - <h2 id="install">2.6.1.1 Install</h2> - - <p>User space tools are provided by apparmor port - and its dependencies, install them;</p> - - <pre> - $ sudo prt-get depinst apparmor - </pre> - - <p>Enable apparmor on linux by command line, create /etc/default/grub;</p> - - <pre> - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor" - </pre> - - <p>Add SecurityFS to /etc/fstab;</p> - - <pre> - none /sys/kernel/security securityfs defaults 0 0 - </pre> - - <p>Check status;</p> - - <pre> - # apparmor_status - </pre> - - <p>Utilities;</p> - - <pre> - aa-audit aa-disable aa-genprof aa-status - aa-autodep aa-easyprof aa-logprof aa-unconfined - aa-cleanprof aa-enabled aa-mergeprof - aa-complain aa-enforce aa-notify - aa-decode aa-exec aa-remove-unknown - </pre> - - <h2 id="configure">6.2.1.2 Configure</h2> - - <p>Profiles are located at /etc/apparmor.d/ and - /usr/share/apparmor/extra-profiles contain profiles - that require testing;</p> - - <pre> - # cp -r /usr/share/apparmor/extra-profiles/* /etc/apparmor.d/ - # sudo rm /etc/apparmor.d/README - # bash /etc/rc.d/apparmor restart - </pre> - - <h2 id="profiles">6.2.1.3 Profiles</h2> - - <p>Profiles are parsed using - apparmor_parser;</p> - - <pre> - Usage: apparmor_parser [options] [profile] - - Options: - -------- - -a, --add Add apparmor definitions [default] - -r, --replace Replace apparmor definitions - -R, --remove Remove apparmor definitions - -C, --Complain Force the profile into complain mode - -B, --binary Input is precompiled profile - -N, --names Dump names of profiles in input. - -S, --stdout Dump compiled profile to stdout - -o n, --ofile n Write output to file n - -b n, --base n Set base dir and cwd - -I n, --Include n Add n to the search path - -f n, --subdomainfs n Set location of apparmor filesystem - -m n, --match-string n Use only features n - -M n, --features-file n Use only features in file n - -n n, --namespace n Set Namespace for the profile - -X, --readimpliesX Map profile read permissions to mr - -k, --show-cache Report cache hit/miss details - -K, --skip-cache Do not attempt to load or save cached profiles - -T, --skip-read-cache Do not attempt to load cached profiles - -W, --write-cache Save cached profile (force with -T) - --skip-bad-cache Don't clear cache if out of sync - --purge-cache Clear cache regardless of its state - --debug-cache Debug cache file checks - -L, --cache-loc n Set the location of the profile cache - -q, --quiet Don't emit warnings - -v, --verbose Show profile names as they load - -Q, --skip-kernel-load Do everything except loading into kernel - -V, --version Display version info and exit - -d [n], --debug Debug apparmor definitions OR [n] - -p, --preprocess Dump preprocessed profile - -D [n], --dump Dump internal info for debugging - -O [n], --Optimize Control dfa optimizations - -h [cmd], --help[=cmd] Display this text or info about cmd - -j n, --jobs n Set the number of compile threads - --max-jobs n Hard cap on --jobs. Default 8*cpus - --abort-on-error Abort processing of profiles on first error - --skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel - --warn n Enable warnings (see --help=warn) - </pre> - - <h2 id="audit">2.6.1.4 Profile with audit</h2> - - <p>Tools use log as a source to build profiles, it is - necessary to disable log rate limit;</p> - - <pre> - # sysctl -w kernel.printk_ratelimit=0 - </pre> - - <p>Start aa-genprof;</p> - - <pre> - $ sudo aa-genprof /usr/bin/lynx - </pre> - - <p>Execute application with all common application options - and parts. After initial automatic configuration enable profile in - complain mode.</p> - - <pre> - $ sudo aa-complain lynx - </pre> - - <p>Use aa-logprof when rules need to be adapted.</p> - - <pre> - # aa-logprof -f /var/log/kernel - </pre> - - <p>Reload profile with the new settings;</p> - - <pre> - # apparmor_parser -r lynx - </pre> - - <p>Once profile rules become well defined enable profile in - enforce mode with aa-enforce;</p> - - <p>Monitor logs with aa-notify;</p> - - <pre> - # aa-notify --file=/var/log/kernel -u username -l - </pre> - - <p>And keep adjusting the rules with logprof;</p> - - <pre> - # aa-logprof -f /var/log/kernel - </pre> - - <p>Apparmor will give several options such as;</p> - - <dl> - <dt>Inherit ix</dt><dd>Creates a rule that is denoted by ix within the profile, causes the executed binary to inherit permissions from the parent profile.</dd> - <dt>Child cx</dt><dd>Creates a rule that is denoted by within the profile, requires a sub-profile to be created within the parent profile and rules must be separately generated for this child (prompts will appear when running scans on the parent).</dd> - </dl> - - <h2 id="edit">2.6.1.5 Edit profiles</h2> - - <h3>File Globing</h3> - - <dl> - <dt>/dir/file</dt><dd>match a specific file</dd> - <dt>/dir/*</dt><dd>match any files in a directory (including dot files)</dd> - <dt>/dir/a*</dt><dd>match any file in a directory starting with 'a'</dd> - <dt>/dir/*.png</dt><dd>match any file in a directory ending with '.png'</dd> - <dt>/dir/[^.]*</dt><dd>match any file in a directory except dot files</dd> - <dt>/dir/</dt><dd>match a directory</dd> - <dt>/dir/*/</dt><dd>match any directory within /dir/</dd> - <dt>/dir/a*/</dt><dd>match any directory within /dir/ starting with a</dd> - <dt>/dir/*a/</dt><dd>match any directory within /dir/ ending with a</dd> - <dt>/dir/**</dt><dd>match any file or directory in or below /dir/</dd> - <dt>/dir/**/</dt><dd>match any directory in or below /dir/</dd> - <dt>/dir/**[^/]</dt><dd>match any file in or below /dir/</dd> - <dt>/dir{,1,2}/**</dt><dd> - match any file or directory in or below /dir/, /dir1/, and /dir2/</dd> - </dl> - - <h3>File Permissions</h3> - - <dl> - <dt>r</dt><dd>read</dd> - <dt>w</dt><dd>write</dd> - <dt>a</dt><dd>append (implied by w)</dd> - <dt>m</dt><dd>memory map executable</dd> - <dt>k</dt><dd>lock (requires r or w, AppArmor 2.1 and later)</dd> - <dt>l</dt><dd>link</dd> - - <dt>x</dt><dd>execute</dd> - </dl> - - <dl> - <dt>ux</dt><dd>Execute unconfined (preserve environment) -- WARNING: should only be used in very special cases</dd> - <dt>Ux</dt><dd>Execute unconfined (scrub the environment)</dd> - <dt>px</dt><dd>Execute under a specific profile (preserve the environment) -- WARNING: should only be used in special cases</dd> - <dt>Px</dt><dd>Execute under a specific profile (scrub the environment)</dd> - <dt>pix</dt><dd>as px but fallback to inheriting the current profile if the target profile is not found</dd> - <dt>Pix</dt><dd>as Px but fallback to inheriting the current profile if the target profile is not found</dd> - <dt>pux</dt><dd>as px but fallback to executing unconfined if the target profile is not found</dd> - <dt>Pux</dt><dd>as Px but fallback to executing unconfined if the target profile is not found</dd> - <dt>ix<dt><dd>Execute and inherit the current profile</dd> - <dt>cx<dt><dd>Execute and transition to a child profile (preserve the environment)</dd> - <dt>Cx<dt><dd>Execute and transition to a child profile (scrub the environment)</dd> - <dt>cix<dt><dd>as cx but fallback to inheriting the current profile if the target profile is not found</dd> - <dt>Cix<dt><dd>as Cx but fallback to inheriting the current profile if the target profile is not found</dd> - <dt>cux<dt><dd>as cx but fallback to executing unconfined if the target profile is not found</dd> - <dt>Cux<dt><dd>as Cx but fallback to executing unconfined if the target profile is not found</dd> - </dl> - - <p>The owner keyword can be used as a qualifier making permission conditional on owning the file (process fsuid == file's uid).</p> - - <p>Read <a href="https://gitlab.com/apparmor/apparmor/-/wikis/QuickProfileLanguage">Profile Language</a> for more information.</p> - - <h2 id="speedup">2.6.1.6 Speedup startup</h2> - - <p>Every time apparmor loads a profile in text it needs - to compile into binary format, this takes some time if - there is many profiles to load at boot time. To optimize - edit /etc/apparmor/parser.conf;</p> - - <pre> - ## Turn creating/updating of the cache on by default - write-cache - </pre> - - <p>To change default location add;</p> - - <pre> - chache-loc=/var/cache/apparmor - </pre> - - <a href="index.html">Core OS Index</a> - <p>This is part of the Tribu System Documentation. - Copyright (C) 2020 - Tribu Team. - See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> - for copying conditions.</p> - - </body> -</html> |