2.6.1. AppArmor

Check kernel configuration or use the provided with linux-gnu port to support apparmor. AppArmor enforce rules on applications based on security policies. User space tools are provided by apparmor port and its dependencies, install them;

        $ sudo prt-get depinst apparmor
        

Enable apparmor on linux by command line, create /etc/default/grub;

        GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"
        

Add SecurityFS to /etc/fstab;

        none /sys/kernel/security securityfs defaults 0 0
        

Check status;

        # apparmor_status
        

Utilities;

        aa-audit           aa-disable         aa-genprof         aa-status
        aa-autodep         aa-easyprof        aa-logprof         aa-unconfined
        aa-cleanprof       aa-enabled         aa-mergeprof
        aa-complain        aa-enforce         aa-notify
        aa-decode          aa-exec            aa-remove-unknown
        

Profiles

Profiles are located at /etc/apparmor.d/ and /usr/share/apparmor/extra-profiles contain profiles that require testing;

        # cp -r /usr/share/apparmor/extra-profiles/* /etc/apparmor.d/
        # sudo rm /etc/apparmor.d/README
        # bash /etc/rc.d/apparmor restart
        

Profiles are parsed using apparmor_parser;

        Usage: apparmor_parser [options] [profile]

        Options:
        --------
        -a, --add               Add apparmor definitions [default]
        -r, --replace           Replace apparmor definitions
        -R, --remove            Remove apparmor definitions
        -C, --Complain          Force the profile into complain mode
        -B, --binary            Input is precompiled profile
        -N, --names             Dump names of profiles in input.
        -S, --stdout            Dump compiled profile to stdout
        -o n, --ofile n         Write output to file n
        -b n, --base n          Set base dir and cwd
        -I n, --Include n       Add n to the search path
        -f n, --subdomainfs n   Set location of apparmor filesystem
        -m n, --match-string n  Use only features n
        -M n, --features-file n Use only features in file n
        -n n, --namespace n     Set Namespace for the profile
        -X, --readimpliesX      Map profile read permissions to mr
        -k, --show-cache        Report cache hit/miss details
        -K, --skip-cache        Do not attempt to load or save cached profiles
        -T, --skip-read-cache   Do not attempt to load cached profiles
        -W, --write-cache       Save cached profile (force with -T)
            --skip-bad-cache    Don't clear cache if out of sync
            --purge-cache       Clear cache regardless of its state
            --debug-cache       Debug cache file checks
        -L, --cache-loc n       Set the location of the profile cache
        -q, --quiet             Don't emit warnings
        -v, --verbose           Show profile names as they load
        -Q, --skip-kernel-load  Do everything except loading into kernel
        -V, --version           Display version info and exit
        -d [n], --debug         Debug apparmor definitions OR [n]
        -p, --preprocess        Dump preprocessed profile
        -D [n], --dump          Dump internal info for debugging
        -O [n], --Optimize      Control dfa optimizations
        -h [cmd], --help[=cmd]  Display this text or info about cmd
        -j n, --jobs n          Set the number of compile threads
        --max-jobs n            Hard cap on --jobs. Default 8*cpus
        --abort-on-error        Abort processing of profiles on first error
        --skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel
        --warn n                Enable warnings (see --help=warn)
        

Create profile with audit

Tools use log as a source to build profiles, it is necessary to disable log rate limit;

        # sysctl -w kernel.printk_ratelimit=0
        

Start aa-genprof;

        $ sudo aa-genprof /usr/bin/lynx
        

Execute application with all common application options and parts. After initial automatic configuration enable profile in complain mode. Use aa-logprof when rules need to be adapted.

        # aa-logprof -f /var/log/kernel
        

Once profile rules become well defined enable profile in enforce mode with aa-enforce;

Monitor logs with aa-notify;

        # aa-notify --file=/var/log/kernel -u username -l
        

And keep adjusting the rules with logprof;

        # aa-logprof -f /var/log/kernel
        

Create profile manually

To create a new profile, let's say for lynx, first find where the application is;

        $ whereis lynx
        lynx: /usr/bin/lynx /usr/etc/lynx.lss /usr/etc/lynx.cfg /usr/etc/lynx.cfg~ /usr/share/man/man1/lynx.1.gz
        

Now create a file with path to executable in /etc/apparmor.d;

        # vim /etc/apparmor.d/usr.bin.lynx
        

Create basic profile template;

        #include <tunables/global>

        profile lynx /usr/bin/lynx {
          #include <abstractions/base>
        }
        

Seed up profile loading

Every time apparmor loads a profile in text it needs to compile into binary format, this takes some time if there is many profiles to load at boot time. To optimize edit /etc/apparmor/parser.conf;

        ## Turn creating/updating of the cache on by default
        write-cache
        

To change default location add;

        chache-loc=/var/cache/apparmor
        

This is part of the Hive System Documentation. Copyright (C) 2019 Hive Team. See the file Gnu Free Documentation License for copying conditions.