2.2.1. AppArmor

Check kernel configuration or use the provided with linux-gnu port to support apparmor. AppArmor enforce rules on applications based on security policies. User space tools are provided by apparmor port and its dependencies, install them;

        $ sudo prt-get depinst apparmor
        

Enable apparmor on linux by command line, create /etc/default/grub;

        GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"
        

Add SecurityFS to /etc/fstab;

        none /sys/kernel/security securityfs defaults 0 0
        

Check status;

        # apparmor_status
        

Utilities;

	aa-audit           aa-disable         aa-genprof         aa-status
	aa-autodep         aa-easyprof        aa-logprof         aa-unconfined
	aa-cleanprof       aa-enabled         aa-mergeprof
	aa-complain        aa-enforce         aa-notify
	aa-decode          aa-exec            aa-remove-unknown
	

apparmor_parser options;

	Usage: apparmor_parser [options] [profile]

	Options:
	--------
	-a, --add               Add apparmor definitions [default]
	-r, --replace           Replace apparmor definitions
	-R, --remove            Remove apparmor definitions
	-C, --Complain          Force the profile into complain mode
	-B, --binary            Input is precompiled profile
	-N, --names             Dump names of profiles in input.
	-S, --stdout            Dump compiled profile to stdout
	-o n, --ofile n         Write output to file n
	-b n, --base n          Set base dir and cwd
	-I n, --Include n       Add n to the search path
	-f n, --subdomainfs n   Set location of apparmor filesystem
	-m n, --match-string n  Use only features n
	-M n, --features-file n Use only features in file n
	-n n, --namespace n     Set Namespace for the profile
	-X, --readimpliesX      Map profile read permissions to mr
	-k, --show-cache        Report cache hit/miss details
	-K, --skip-cache        Do not attempt to load or save cached profiles
	-T, --skip-read-cache   Do not attempt to load cached profiles
	-W, --write-cache       Save cached profile (force with -T)
	    --skip-bad-cache    Don't clear cache if out of sync
	    --purge-cache       Clear cache regardless of its state
	    --debug-cache       Debug cache file checks
	-L, --cache-loc n       Set the location of the profile cache
	-q, --quiet             Don't emit warnings
	-v, --verbose           Show profile names as they load
	-Q, --skip-kernel-load  Do everything except loading into kernel
	-V, --version           Display version info and exit
	-d [n], --debug         Debug apparmor definitions OR [n]
	-p, --preprocess        Dump preprocessed profile
	-D [n], --dump          Dump internal info for debugging
	-O [n], --Optimize      Control dfa optimizations
	-h [cmd], --help[=cmd]  Display this text or info about cmd
	-j n, --jobs n          Set the number of compile threads
	--max-jobs n            Hard cap on --jobs. Default 8*cpus
	--abort-on-error        Abort processing of profiles on first error
	--skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel
	--warn n                Enable warnings (see --help=warn)
	

This is part of the c9 Manual. Copyright (C) 2018 c9 team. See the file Gnu Free Documentation License for copying conditions.