2.6.1. AppArmor

Check kernel configuration or use the provided with linux-gnu port to support apparmor. AppArmor enforce rules on applications based on security policies. User space tools are provided by apparmor port and its dependencies, install them;

        $ sudo prt-get depinst apparmor
        

Enable apparmor on linux by command line, create /etc/default/grub;

        GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"
        

Add SecurityFS to /etc/fstab;

        none /sys/kernel/security securityfs defaults 0 0
        

Check status;

        # apparmor_status
        

Utilities;

	aa-audit           aa-disable         aa-genprof         aa-status
	aa-autodep         aa-easyprof        aa-logprof         aa-unconfined
	aa-cleanprof       aa-enabled         aa-mergeprof
	aa-complain        aa-enforce         aa-notify
	aa-decode          aa-exec            aa-remove-unknown
	

Profiles

Profiles are located at /etc/apparmor.d/ and /usr/share/apparmor/extra-profiles contain profiles that require testing;

        # cp -r /usr/share/apparmor/extra-profiles/* /etc/apparmor.d/
        # sudo rm /etc/apparmor.d/README
        # bash /etc/rc.d/apparmor restart
        

Profiles are parsed using apparmor_parser;

	Usage: apparmor_parser [options] [profile]

	Options:
	--------
	-a, --add               Add apparmor definitions [default]
	-r, --replace           Replace apparmor definitions
	-R, --remove            Remove apparmor definitions
	-C, --Complain          Force the profile into complain mode
	-B, --binary            Input is precompiled profile
	-N, --names             Dump names of profiles in input.
	-S, --stdout            Dump compiled profile to stdout
	-o n, --ofile n         Write output to file n
	-b n, --base n          Set base dir and cwd
	-I n, --Include n       Add n to the search path
	-f n, --subdomainfs n   Set location of apparmor filesystem
	-m n, --match-string n  Use only features n
	-M n, --features-file n Use only features in file n
	-n n, --namespace n     Set Namespace for the profile
	-X, --readimpliesX      Map profile read permissions to mr
	-k, --show-cache        Report cache hit/miss details
	-K, --skip-cache        Do not attempt to load or save cached profiles
	-T, --skip-read-cache   Do not attempt to load cached profiles
	-W, --write-cache       Save cached profile (force with -T)
	    --skip-bad-cache    Don't clear cache if out of sync
	    --purge-cache       Clear cache regardless of its state
	    --debug-cache       Debug cache file checks
	-L, --cache-loc n       Set the location of the profile cache
	-q, --quiet             Don't emit warnings
	-v, --verbose           Show profile names as they load
	-Q, --skip-kernel-load  Do everything except loading into kernel
	-V, --version           Display version info and exit
	-d [n], --debug         Debug apparmor definitions OR [n]
	-p, --preprocess        Dump preprocessed profile
	-D [n], --dump          Dump internal info for debugging
	-O [n], --Optimize      Control dfa optimizations
	-h [cmd], --help[=cmd]  Display this text or info about cmd
	-j n, --jobs n          Set the number of compile threads
	--max-jobs n            Hard cap on --jobs. Default 8*cpus
	--abort-on-error        Abort processing of profiles on first error
	--skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel
	--warn n                Enable warnings (see --help=warn)
	

Create profile with audit

Tools use log as a source to build profiles, it is necessary to disable log rate limit;

        # sysctl -w kernel.printk_ratelimit=0
        

Start aa-genprof;

        $ sudo aa-genprof /usr/bin/lynx
        

Execute application with all common application options and parts;

After initial automatic configuration enable profile in complain mode. Use aa-logprof when rules need to be adapted.

        # aa-logprof
        

Once profile rules become well defined enable profile in enforce mode with aa-enforce;

Monitor logs with aa-notify;

Create profile manually

To create a new profile, let's say for lynx, first find where the application is;

        $ whereis lynx
        lynx: /usr/bin/lynx /usr/etc/lynx.lss /usr/etc/lynx.cfg /usr/etc/lynx.cfg~ /usr/share/man/man1/lynx.1.gz
        

Now create a file with path to executable in /etc/apparmor.d;

        # vim /etc/apparmor.d/usr.bin.lynx
        

Create basic profile template;

        #include <tunables/global>

        profile lynx /usr/bin/lynx {
          #include <abstractions/base>
        }
        

Seed up profile loading

Every time apparmor loads a profile in text it needs to compile into binary format, this takes some time if there is many profiles to load at boot time. To optimize edit /etc/apparmor/parser.conf;

        ## Turn creating/updating of the cache on by default
        write-cache
        

To change default location add;

        chache-loc=/var/cache/apparmor
        

This is part of the Hive System Documentation. Copyright (C) 2019 Hive Team. See the file Gnu Free Documentation License for copying conditions.