Core OS Index

2.6.1. AppArmor

Check kernel configuration or use the provided with linux-gnu port to support apparmor. AppArmor enforce rules on applications based on security policies.

2.6.1.1 Install

User space tools are provided by apparmor port and its dependencies, install them;

	$ sudo prt-get depinst apparmor
	

Enable apparmor on linux by command line, create /etc/default/grub;

	GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"
	

Add SecurityFS to /etc/fstab;

	none /sys/kernel/security securityfs defaults 0 0
	

Check status;

	# apparmor_status
	

Utilities;

	aa-audit           aa-disable         aa-genprof         aa-status
	aa-autodep         aa-easyprof        aa-logprof         aa-unconfined
	aa-cleanprof       aa-enabled         aa-mergeprof
	aa-complain        aa-enforce         aa-notify
	aa-decode          aa-exec            aa-remove-unknown
	

6.2.1.2 Configure

Profiles are located at /etc/apparmor.d/ and /usr/share/apparmor/extra-profiles contain profiles that require testing;

	# cp -r /usr/share/apparmor/extra-profiles/* /etc/apparmor.d/
	# sudo rm /etc/apparmor.d/README
	# bash /etc/rc.d/apparmor restart
	

6.2.1.3 Profiles

Profiles are parsed using apparmor_parser;

	Usage: apparmor_parser [options] [profile]

	Options:
	--------
	-a, --add               Add apparmor definitions [default]
	-r, --replace           Replace apparmor definitions
	-R, --remove            Remove apparmor definitions
	-C, --Complain          Force the profile into complain mode
	-B, --binary            Input is precompiled profile
	-N, --names             Dump names of profiles in input.
	-S, --stdout            Dump compiled profile to stdout
	-o n, --ofile n         Write output to file n
	-b n, --base n          Set base dir and cwd
	-I n, --Include n       Add n to the search path
	-f n, --subdomainfs n   Set location of apparmor filesystem
	-m n, --match-string n  Use only features n
	-M n, --features-file n Use only features in file n
	-n n, --namespace n     Set Namespace for the profile
	-X, --readimpliesX      Map profile read permissions to mr
	-k, --show-cache        Report cache hit/miss details
	-K, --skip-cache        Do not attempt to load or save cached profiles
	-T, --skip-read-cache   Do not attempt to load cached profiles
	-W, --write-cache       Save cached profile (force with -T)
	    --skip-bad-cache    Don't clear cache if out of sync
	    --purge-cache       Clear cache regardless of its state
	    --debug-cache       Debug cache file checks
	-L, --cache-loc n       Set the location of the profile cache
	-q, --quiet             Don't emit warnings
	-v, --verbose           Show profile names as they load
	-Q, --skip-kernel-load  Do everything except loading into kernel
	-V, --version           Display version info and exit
	-d [n], --debug         Debug apparmor definitions OR [n]
	-p, --preprocess        Dump preprocessed profile
	-D [n], --dump          Dump internal info for debugging
	-O [n], --Optimize      Control dfa optimizations
	-h [cmd], --help[=cmd]  Display this text or info about cmd
	-j n, --jobs n          Set the number of compile threads
	--max-jobs n            Hard cap on --jobs. Default 8*cpus
	--abort-on-error        Abort processing of profiles on first error
	--skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel
	--warn n                Enable warnings (see --help=warn)
	

2.6.1.4 Profile with audit

Tools use log as a source to build profiles, it is necessary to disable log rate limit;

	# sysctl -w kernel.printk_ratelimit=0
	

Start aa-genprof;

	$ sudo aa-genprof /usr/bin/lynx
	

Execute application with all common application options and parts. After initial automatic configuration enable profile in complain mode.

	$ sudo aa-complain lynx
	

Use aa-logprof when rules need to be adapted.

	# aa-logprof -f /var/log/kernel
	

Reload profile with the new settings;

	# apparmor_parser -r lynx
	

Once profile rules become well defined enable profile in enforce mode with aa-enforce;

Monitor logs with aa-notify;

	# aa-notify --file=/var/log/kernel -u username -l
	

And keep adjusting the rules with logprof;

	# aa-logprof -f /var/log/kernel
	

Apparmor will give several options such as;

Inherit ix
Creates a rule that is denoted by ix within the profile, causes the executed binary to inherit permissions from the parent profile.
Child cx
Creates a rule that is denoted by within the profile, requires a sub-profile to be created within the parent profile and rules must be separately generated for this child (prompts will appear when running scans on the parent).

2.6.1.5 Edit profiles

File Globing

/dir/file
match a specific file
/dir/*
match any files in a directory (including dot files)
/dir/a*
match any file in a directory starting with 'a'
/dir/*.png
match any file in a directory ending with '.png'
/dir/[^.]*
match any file in a directory except dot files
/dir/
match a directory
/dir/*/
match any directory within /dir/
/dir/a*/
match any directory within /dir/ starting with a
/dir/*a/
match any directory within /dir/ ending with a
/dir/**
match any file or directory in or below /dir/
/dir/**/
match any directory in or below /dir/
/dir/**[^/]
match any file in or below /dir/
/dir{,1,2}/**
- match any file or directory in or below /dir/, /dir1/, and /dir2/

File Permissions

r
read
w
write
a
append (implied by w)
m
memory map executable
k
lock (requires r or w, AppArmor 2.1 and later)
l
link
x
execute
ux
Execute unconfined (preserve environment) -- WARNING: should only be used in very special cases
Ux
Execute unconfined (scrub the environment)
px
Execute under a specific profile (preserve the environment) -- WARNING: should only be used in special cases
Px
Execute under a specific profile (scrub the environment)
pix
as px but fallback to inheriting the current profile if the target profile is not found
Pix
as Px but fallback to inheriting the current profile if the target profile is not found
pux
as px but fallback to executing unconfined if the target profile is not found
Pux
as Px but fallback to executing unconfined if the target profile is not found
ix
Execute and inherit the current profile
cx
Execute and transition to a child profile (preserve the environment)
Cx
Execute and transition to a child profile (scrub the environment)
cix
as cx but fallback to inheriting the current profile if the target profile is not found
Cix
as Cx but fallback to inheriting the current profile if the target profile is not found
cux
as cx but fallback to executing unconfined if the target profile is not found
Cux
as Cx but fallback to executing unconfined if the target profile is not found

The owner keyword can be used as a qualifier making permission conditional on owning the file (process fsuid == file's uid).

Read Profile Language for more information.

2.6.1.6 Speedup startup

Every time apparmor loads a profile in text it needs to compile into binary format, this takes some time if there is many profiles to load at boot time. To optimize edit /etc/apparmor/parser.conf;

	## Turn creating/updating of the cache on by default
	write-cache
	

To change default location add;

	chache-loc=/var/cache/apparmor
	
Core OS Index

This is part of the Tribu System Documentation. Copyright (C) 2020 Tribu Team. See the file Gnu Free Documentation License for copying conditions.