diff options
Diffstat (limited to 'core/apparmor.html')
| -rw-r--r-- | core/apparmor.html | 402 |
1 files changed, 224 insertions, 178 deletions
diff --git a/core/apparmor.html b/core/apparmor.html index 8e057de..22b5183 100644 --- a/core/apparmor.html +++ b/core/apparmor.html @@ -1,202 +1,248 @@ <!DOCTYPE html> <html dir="ltr" lang="en"> <head> - <meta charset='utf-8'> - <title>2.6.1. AppArmor</title> + <meta charset='utf-8'> + <title>2.6.1. AppArmor</title> </head> <body> - <a href="index.html">Core OS Index</a> + <a href="index.html">Core OS Index</a> - <h1>2.6.1. AppArmor</h1> + <h1>2.6.1. AppArmor</h1> - <p>Check <a href="linux.html#configure">kernel configuration</a> or - use the provided with <a href="reboot.html#linux">linux-gnu</a> port - to support apparmor. <a href="https://gitlab.com/apparmor/apparmor/wikis/home">AppArmor</a> enforce rules on applications based - on security policies. User space tools are provided by apparmor port - and its dependencies, install them;</p> + <p>Check <a href="linux.html#configure">kernel configuration</a> or + use the provided with <a href="reboot.html#linux">linux-gnu</a> port + to support apparmor. <a href="https://gitlab.com/apparmor/apparmor/wikis/home">AppArmor</a> enforce rules on applications based + on security policies.</p> - <pre> - $ sudo prt-get depinst apparmor - </pre> - <p>Enable apparmor on linux by command line, create /etc/default/grub;</p> + <h2 id="install">2.6.1.1 Install</h2> - <pre> - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor" - </pre> + <p>User space tools are provided by apparmor port + and its dependencies, install them;</p> - <p>Add SecurityFS to /etc/fstab;</p> + <pre> + $ sudo prt-get depinst apparmor + </pre> - <pre> - none /sys/kernel/security securityfs defaults 0 0 - </pre> + <p>Enable apparmor on linux by command line, create /etc/default/grub;</p> - <p>Check status;</p> + <pre> + GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor" + </pre> - <pre> - # apparmor_status - </pre> + <p>Add SecurityFS to /etc/fstab;</p> - <p>Utilities;</p> + <pre> + none /sys/kernel/security securityfs defaults 0 0 + </pre> - <pre> - aa-audit aa-disable aa-genprof aa-status - aa-autodep aa-easyprof aa-logprof aa-unconfined - aa-cleanprof aa-enabled aa-mergeprof - aa-complain aa-enforce aa-notify - aa-decode aa-exec aa-remove-unknown - </pre> + <p>Check status;</p> - <h2 id="profiles">Profiles</h2> + <pre> + # apparmor_status + </pre> - <p>Profiles are located at /etc/apparmor.d/ and - /usr/share/apparmor/extra-profiles contain profiles - that require testing;</p> - - <pre> - # cp -r /usr/share/apparmor/extra-profiles/* /etc/apparmor.d/ - # sudo rm /etc/apparmor.d/README - # bash /etc/rc.d/apparmor restart - </pre> - - <p>Profiles are parsed using - apparmor_parser;</p> - - <pre> - Usage: apparmor_parser [options] [profile] - - Options: - -------- - -a, --add Add apparmor definitions [default] - -r, --replace Replace apparmor definitions - -R, --remove Remove apparmor definitions - -C, --Complain Force the profile into complain mode - -B, --binary Input is precompiled profile - -N, --names Dump names of profiles in input. - -S, --stdout Dump compiled profile to stdout - -o n, --ofile n Write output to file n - -b n, --base n Set base dir and cwd - -I n, --Include n Add n to the search path - -f n, --subdomainfs n Set location of apparmor filesystem - -m n, --match-string n Use only features n - -M n, --features-file n Use only features in file n - -n n, --namespace n Set Namespace for the profile - -X, --readimpliesX Map profile read permissions to mr - -k, --show-cache Report cache hit/miss details - -K, --skip-cache Do not attempt to load or save cached profiles - -T, --skip-read-cache Do not attempt to load cached profiles - -W, --write-cache Save cached profile (force with -T) - --skip-bad-cache Don't clear cache if out of sync - --purge-cache Clear cache regardless of its state - --debug-cache Debug cache file checks - -L, --cache-loc n Set the location of the profile cache - -q, --quiet Don't emit warnings - -v, --verbose Show profile names as they load - -Q, --skip-kernel-load Do everything except loading into kernel - -V, --version Display version info and exit - -d [n], --debug Debug apparmor definitions OR [n] - -p, --preprocess Dump preprocessed profile - -D [n], --dump Dump internal info for debugging - -O [n], --Optimize Control dfa optimizations - -h [cmd], --help[=cmd] Display this text or info about cmd - -j n, --jobs n Set the number of compile threads - --max-jobs n Hard cap on --jobs. Default 8*cpus - --abort-on-error Abort processing of profiles on first error - --skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel - --warn n Enable warnings (see --help=warn) - </pre> - - <h3 id="auto_profiles">Create profile with audit</h3> - - <p>Tools use log as a source to build profiles, it is - necessary to disable log rate limit;</p> - - <pre> - # sysctl -w kernel.printk_ratelimit=0 - </pre> - - <p>Start aa-genprof;</p> - - <pre> - $ sudo aa-genprof /usr/bin/lynx - </pre> - - <p>Execute application with all common application options - and parts. After initial automatic configuration enable profile in - complain mode. Use aa-logprof when rules need to be adapted.</p> - - <pre> - # aa-logprof -f /var/log/kernel - </pre> - - <p>Once profile rules become well defined enable profile in - enforce mode with aa-enforce;</p> - - <p>Monitor logs with aa-notify;</p> - - <pre> - # aa-notify --file=/var/log/kernel -u username -l - </pre> - - <p>And keep adjusting the rules with logprof;</p> - - <pre> - # aa-logprof -f /var/log/kernel - </pre> - - - <h3 id="man_profiles">Create profile manually</h3> - - <p>To create a new profile, let's say for lynx, - first find where the application is;</p> - - <pre> - $ whereis lynx - lynx: /usr/bin/lynx /usr/etc/lynx.lss /usr/etc/lynx.cfg /usr/etc/lynx.cfg~ /usr/share/man/man1/lynx.1.gz - </pre> - - <p>Now create a file with path to executable in - /etc/apparmor.d;</p> - - <pre> - # vim /etc/apparmor.d/usr.bin.lynx - </pre> - - <p>Create basic profile template;</p> - - <pre> - #include <tunables/global> - - profile lynx /usr/bin/lynx { - #include <abstractions/base> - } - </pre> - - <h3>Seed up profile loading</h3> - - <p>Every time apparmor loads a profile in text it needs - to compile into binary format, this takes some time if - there is many profiles to load at boot time. To optimize - edit /etc/apparmor/parser.conf;</p> - - <pre> - ## Turn creating/updating of the cache on by default - write-cache - </pre> - - <p>To change default location add;</p> + <p>Utilities;</p> + + <pre> + aa-audit aa-disable aa-genprof aa-status + aa-autodep aa-easyprof aa-logprof aa-unconfined + aa-cleanprof aa-enabled aa-mergeprof + aa-complain aa-enforce aa-notify + aa-decode aa-exec aa-remove-unknown + </pre> - <pre> - chache-loc=/var/cache/apparmor - </pre> + <h2 id="configure">6.2.1.2 Configure</h2> - <a href="index.html">Core OS Index</a> - <p>This is part of the Hive System Documentation. - Copyright (C) 2019 - Hive Team. - See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> - for copying conditions.</p> + <p>Profiles are located at /etc/apparmor.d/ and + /usr/share/apparmor/extra-profiles contain profiles + that require testing;</p> + + <pre> + # cp -r /usr/share/apparmor/extra-profiles/* /etc/apparmor.d/ + # sudo rm /etc/apparmor.d/README + # bash /etc/rc.d/apparmor restart + </pre> + + <h2 id="profiles">6.2.1.3 Profiles</h2> + + <p>Profiles are parsed using + apparmor_parser;</p> + + <pre> + Usage: apparmor_parser [options] [profile] + + Options: + -------- + -a, --add Add apparmor definitions [default] + -r, --replace Replace apparmor definitions + -R, --remove Remove apparmor definitions + -C, --Complain Force the profile into complain mode + -B, --binary Input is precompiled profile + -N, --names Dump names of profiles in input. + -S, --stdout Dump compiled profile to stdout + -o n, --ofile n Write output to file n + -b n, --base n Set base dir and cwd + -I n, --Include n Add n to the search path + -f n, --subdomainfs n Set location of apparmor filesystem + -m n, --match-string n Use only features n + -M n, --features-file n Use only features in file n + -n n, --namespace n Set Namespace for the profile + -X, --readimpliesX Map profile read permissions to mr + -k, --show-cache Report cache hit/miss details + -K, --skip-cache Do not attempt to load or save cached profiles + -T, --skip-read-cache Do not attempt to load cached profiles + -W, --write-cache Save cached profile (force with -T) + --skip-bad-cache Don't clear cache if out of sync + --purge-cache Clear cache regardless of its state + --debug-cache Debug cache file checks + -L, --cache-loc n Set the location of the profile cache + -q, --quiet Don't emit warnings + -v, --verbose Show profile names as they load + -Q, --skip-kernel-load Do everything except loading into kernel + -V, --version Display version info and exit + -d [n], --debug Debug apparmor definitions OR [n] + -p, --preprocess Dump preprocessed profile + -D [n], --dump Dump internal info for debugging + -O [n], --Optimize Control dfa optimizations + -h [cmd], --help[=cmd] Display this text or info about cmd + -j n, --jobs n Set the number of compile threads + --max-jobs n Hard cap on --jobs. Default 8*cpus + --abort-on-error Abort processing of profiles on first error + --skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel + --warn n Enable warnings (see --help=warn) + </pre> + + <h2 id="audit">2.6.1.4 Profile with audit</h2> + + <p>Tools use log as a source to build profiles, it is + necessary to disable log rate limit;</p> + + <pre> + # sysctl -w kernel.printk_ratelimit=0 + </pre> + + <p>Start aa-genprof;</p> + + <pre> + $ sudo aa-genprof /usr/bin/lynx + </pre> + + <p>Execute application with all common application options + and parts. After initial automatic configuration enable profile in + complain mode.</p> + + <pre> + $ sudo aa-complain lynx + </pre> + + <p>Use aa-logprof when rules need to be adapted.</p> + + <pre> + # aa-logprof -f /var/log/kernel + </pre> + + <p>Reload profile with the new settings;</p> + + <pre> + # apparmor_parser -r lynx + </pre> + + <p>Once profile rules become well defined enable profile in + enforce mode with aa-enforce;</p> + + <p>Monitor logs with aa-notify;</p> + + <pre> + # aa-notify --file=/var/log/kernel -u username -l + </pre> + + <p>And keep adjusting the rules with logprof;</p> + + <pre> + # aa-logprof -f /var/log/kernel + </pre> + + <h2 id="edit">2.6.1.5 Edit profiles</h2> + + <h3>File Globing</h3> + + <dl> + <dt>/dir/file</dt><dd>match a specific file</dd> + <dt>/dir/*</dt><dd>match any files in a directory (including dot files)</dd> + <dt>/dir/a*</dt><dd>match any file in a directory starting with 'a'</dd> + <dt>/dir/*.png</dt><dd>match any file in a directory ending with '.png'</dd> + <dt>/dir/[^.]*</dt><dd>match any file in a directory except dot files</dd> + <dt>/dir/</dt><dd>match a directory</dd> + <dt>/dir/*/</dt><dd>match any directory within /dir/</dd> + <dt>/dir/a*/</dt><dd>match any directory within /dir/ starting with a</dd> + <dt>/dir/*a/</dt><dd>match any directory within /dir/ ending with a</dd> + <dt>/dir/**</dt><dd>match any file or directory in or below /dir/</dd> + <dt>/dir/**/</dt><dd>match any directory in or below /dir/</dd> + <dt>/dir/**[^/]</dt><dd>match any file in or below /dir/</dd> + <dt>/dir{,1,2}/**</dt><dd> - match any file or directory in or below /dir/, /dir1/, and /dir2/</dd> + </dl> + + <h3>File Permissions</h3> + + <dl> + <dt>r</dt><dd>read</dd> + <dt>w</dt><dd>write</dd> + <dt>a</dt><dd>append (implied by w)</dd> + <dt>m</dt><dd>memory map executable</dd> + <dt>k</dt><dd>lock (requires r or w, AppArmor 2.1 and later)</dd> + <dt>l</dt><dd>link</dd> + + <dt>x</dt><dd>execute</dd> + </dl> + + <dl> + <dt>ux</dt><dd>Execute unconfined (preserve environment) -- WARNING: should only be used in very special cases</dd> + <dt>Ux</dt><dd>Execute unconfined (scrub the environment)</dd> + <dt>px</dt><dd>Execute under a specific profile (preserve the environment) -- WARNING: should only be used in special cases</dd> + <dt>Px</dt><dd>Execute under a specific profile (scrub the environment)</dd> + <dt>pix</dt><dd>as px but fallback to inheriting the current profile if the target profile is not found</dd> + <dt>Pix</dt><dd>as Px but fallback to inheriting the current profile if the target profile is not found</dd> + <dt>pux</dt><dd>as px but fallback to executing unconfined if the target profile is not found</dd> + <dt>Pux</dt><dd>as Px but fallback to executing unconfined if the target profile is not found</dd> + <dt>ix<dt><dd>Execute and inherit the current profile</dd> + <dt>cx<dt><dd>Execute and transition to a child profile (preserve the environment)</dd> + <dt>Cx<dt><dd>Execute and transition to a child profile (scrub the environment)</dd> + <dt>cix<dt><dd>as cx but fallback to inheriting the current profile if the target profile is not found</dd> + <dt>Cix<dt><dd>as Cx but fallback to inheriting the current profile if the target profile is not found</dd> + <dt>cux<dt><dd>as cx but fallback to executing unconfined if the target profile is not found</dd> + <dt>Cux<dt><dd>as Cx but fallback to executing unconfined if the target profile is not found</dd> + </dl> + + <p>The owner keyword can be used as a qualifier making permission conditional on owning the file (process fsuid == file's uid).</p> + + <p>Read <a href="https://gitlab.com/apparmor/apparmor/-/wikis/QuickProfileLanguage">Profile Language</a> for more information.</p> + + <h2 id="speedup">2.6.1.6 Speedup startup</h2> + + <p>Every time apparmor loads a profile in text it needs + to compile into binary format, this takes some time if + there is many profiles to load at boot time. To optimize + edit /etc/apparmor/parser.conf;</p> + + <pre> + ## Turn creating/updating of the cache on by default + write-cache + </pre> + + <p>To change default location add;</p> + + <pre> + chache-loc=/var/cache/apparmor + </pre> + + <a href="index.html">Core OS Index</a> + <p>This is part of the Tribu System Documentation. + Copyright (C) 2020 + Tribu Team. + See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> </body> </html> |