1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
<!DOCTYPE html>
<html dir="ltr" lang="en">
<head>
<meta charset='utf-8'>
<title>2.2.1. AppArmor</title>
</head>
<body>
<a href="index.html">Core OS Index</a>
<h1>2.2.1. AppArmor</h1>
<p>Check <a href="linux.html#configure">kernel configuration</a> or
use the provided with <a href="reboot.html#linux">linux-gnu</a> port
to support apparmor. <a href="https://gitlab.com/apparmor/apparmor/wikis/home">AppArmor</a> enforce rules on applications based
on security policies. User space tools are provided by apparmor port
and its dependencies, install them;</p>
<pre>
$ sudo prt-get depinst apparmor
</pre>
<p>Enable apparmor on linux by command line, create /etc/default/grub;</p>
<pre>
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"
</pre>
<p>Add SecurityFS to /etc/fstab;</p>
<pre>
none /sys/kernel/security securityfs defaults 0 0
</pre>
<p>Check status;</p>
<pre>
# apparmor_status
</pre>
<p>Utilities;</p>
<pre>
aa-audit aa-disable aa-genprof aa-status
aa-autodep aa-easyprof aa-logprof aa-unconfined
aa-cleanprof aa-enabled aa-mergeprof
aa-complain aa-enforce aa-notify
aa-decode aa-exec aa-remove-unknown
</pre>
<p>apparmor_parser options;</p>
<pre>
Usage: apparmor_parser [options] [profile]
Options:
--------
-a, --add Add apparmor definitions [default]
-r, --replace Replace apparmor definitions
-R, --remove Remove apparmor definitions
-C, --Complain Force the profile into complain mode
-B, --binary Input is precompiled profile
-N, --names Dump names of profiles in input.
-S, --stdout Dump compiled profile to stdout
-o n, --ofile n Write output to file n
-b n, --base n Set base dir and cwd
-I n, --Include n Add n to the search path
-f n, --subdomainfs n Set location of apparmor filesystem
-m n, --match-string n Use only features n
-M n, --features-file n Use only features in file n
-n n, --namespace n Set Namespace for the profile
-X, --readimpliesX Map profile read permissions to mr
-k, --show-cache Report cache hit/miss details
-K, --skip-cache Do not attempt to load or save cached profiles
-T, --skip-read-cache Do not attempt to load cached profiles
-W, --write-cache Save cached profile (force with -T)
--skip-bad-cache Don't clear cache if out of sync
--purge-cache Clear cache regardless of its state
--debug-cache Debug cache file checks
-L, --cache-loc n Set the location of the profile cache
-q, --quiet Don't emit warnings
-v, --verbose Show profile names as they load
-Q, --skip-kernel-load Do everything except loading into kernel
-V, --version Display version info and exit
-d [n], --debug Debug apparmor definitions OR [n]
-p, --preprocess Dump preprocessed profile
-D [n], --dump Dump internal info for debugging
-O [n], --Optimize Control dfa optimizations
-h [cmd], --help[=cmd] Display this text or info about cmd
-j n, --jobs n Set the number of compile threads
--max-jobs n Hard cap on --jobs. Default 8*cpus
--abort-on-error Abort processing of profiles on first error
--skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel
--warn n Enable warnings (see --help=warn)
</pre>
#
<a href="index.html">Core OS Index</a>
<p>This is part of the Hive System Documentation.
Copyright (C) 2018
c9 team.
See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
for copying conditions.</p>
</body>
</html>
|