about summary refs log tree commit diff stats
path: root/core/apparmor.html
blob: 5c9b54133279d27e9b8999b3d7925c0e2cbceb3d (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
<!DOCTYPE html>
<html dir="ltr" lang="en">
    <head>
        <meta charset='utf-8'>
        <title>2.6.1. AppArmor</title>
    </head>
    <body>

        <a href="index.html">Core OS Index</a>

        <h1>2.6.1. AppArmor</h1>

        <p>Check <a href="linux.html#configure">kernel configuration</a> or
        use the provided with <a href="reboot.html#linux">linux-gnu</a> port 
        to support apparmor. <a href="https://gitlab.com/apparmor/apparmor/wikis/home">AppArmor</a> enforce rules on applications based
        on security policies. User space tools are provided by apparmor port
        and its dependencies, install them;</p>

        <pre>
        $ sudo prt-get depinst apparmor
        </pre>

        <p>Enable apparmor on linux by command line, create /etc/default/grub;</p>

        <pre>
        GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"
        </pre>

        <p>Add SecurityFS to /etc/fstab;</p>

        <pre>
        none /sys/kernel/security securityfs defaults 0 0
        </pre>

        <p>Check status;</p>

        <pre>
        # apparmor_status
        </pre>

	<p>Utilities;</p>

	<pre>
	aa-audit           aa-disable         aa-genprof         aa-status
	aa-autodep         aa-easyprof        aa-logprof         aa-unconfined
	aa-cleanprof       aa-enabled         aa-mergeprof
	aa-complain        aa-enforce         aa-notify
	aa-decode          aa-exec            aa-remove-unknown
	</pre>

	<p>apparmor_parser options;</p>

        <pre>
	Usage: apparmor_parser [options] [profile]

	Options:
	--------
	-a, --add               Add apparmor definitions [default]
	-r, --replace           Replace apparmor definitions
	-R, --remove            Remove apparmor definitions
	-C, --Complain          Force the profile into complain mode
	-B, --binary            Input is precompiled profile
	-N, --names             Dump names of profiles in input.
	-S, --stdout            Dump compiled profile to stdout
	-o n, --ofile n         Write output to file n
	-b n, --base n          Set base dir and cwd
	-I n, --Include n       Add n to the search path
	-f n, --subdomainfs n   Set location of apparmor filesystem
	-m n, --match-string n  Use only features n
	-M n, --features-file n Use only features in file n
	-n n, --namespace n     Set Namespace for the profile
	-X, --readimpliesX      Map profile read permissions to mr
	-k, --show-cache        Report cache hit/miss details
	-K, --skip-cache        Do not attempt to load or save cached profiles
	-T, --skip-read-cache   Do not attempt to load cached profiles
	-W, --write-cache       Save cached profile (force with -T)
	    --skip-bad-cache    Don't clear cache if out of sync
	    --purge-cache       Clear cache regardless of its state
	    --debug-cache       Debug cache file checks
	-L, --cache-loc n       Set the location of the profile cache
	-q, --quiet             Don't emit warnings
	-v, --verbose           Show profile names as they load
	-Q, --skip-kernel-load  Do everything except loading into kernel
	-V, --version           Display version info and exit
	-d [n], --debug         Debug apparmor definitions OR [n]
	-p, --preprocess        Dump preprocessed profile
	-D [n], --dump          Dump internal info for debugging
	-O [n], --Optimize      Control dfa optimizations
	-h [cmd], --help[=cmd]  Display this text or info about cmd
	-j n, --jobs n          Set the number of compile threads
	--max-jobs n            Hard cap on --jobs. Default 8*cpus
	--abort-on-error        Abort processing of profiles on first error
	--skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel
	--warn n                Enable warnings (see --help=warn)
	</pre>
	#

        <a href="index.html">Core OS Index</a>
        <p>This is part of the Hive System Documentation.
        Copyright (C) 2018
        Hive Team.
        See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
        for copying conditions.</p>

    </body>
</html>