AppArmor
AppArmor is a Mandatory Access Control (MAC) system, implemented upon the Linux Security Modules (LSM).
Contents
Userspace Installation
A recent Arch Linux Kernel package should suffice to get apparmor working. See #Kernel Configuration
Additionally, the userspace tools and libs are required. You can get those by installing apparmor from the AUR.
The package is a split package which consists of following sub-packages:
- apparmor (meta package)
- apparmor-libapparmor
- apparmor-utils
- apparmor-parser
- apparmor-profiles
- apparmor-pam
- apparmor-vim
The packages should be sane for the most part, yet there are some things still on the TODO list:
- more dependency cleanups
- changehat modules Apache and Tomcat
- AUR packages for applications that ship apparmor profile (e.g. libvirt, just needs to be built with --enable-apparmor)
Kernel Configuration
Here is the rquired configuration from ArchLinux kernel, in case you're compiling your own kernels.
CONFIG_SECURITY_APPARMOR=y CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0 # CONFIG_DEFAULT_SECURITY_APPARMOR is not set
However, integration of AppArmor into the kernel is not quite complete. It is missing network mediation. See here for details. There are compatibility patches provided with the AppArmor tarball that can be applied to every recent kernel to reintroduce these interfaces. The patchset is pretty small and should be applied if you decide to use AppArmor. A suitably patched kernel is provided by the AUR package linux-apparmor. Historic note: as of Linux 3.12, the profile introspection patch is not needed anymore.
Bootloader Configuration
Enable
To test profiles, or enforce the use of AppArmor it must be enabled at boot time. To do this add apparmor=1 security=apparmor
to the kernel boot parameters.
After reboot you can test if AppArmor is really enabled using this command as root:
# cat /sys/module/apparmor/parameters/enabled Y
(Y=enabled, N=disabled, no such file = module not in kernel)
Disable
AppArmor will be disabled by default in Arch Linux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default. If so, Add apparmor=0 security=""
to kernel boot parameters.
System Configuration
Mounts (/etc/fstab securityfs)
http://wiki.apparmor.net/index.php/Kernel_interfaces
none /sys/kernel/security securityfs defaults 0 0
Systemd support
The AUR package apparmor includes a systemd service file that loads all AppArmor profiles in /etc/apparmor.d/
. To enable it to run on boot, use:
# systemctl enable apparmor
Security considerations
Preventing circumvention of path-based MAC via links
AppArmor can be circumvented via hardlinks in the standard POSIX security model. However, the kernel now includes the ability to prevent this vulnerability, without needing the patches distributions like Ubuntu have applied to their kernels as workarounds.
See Security#Preventing link TOCTOU vulnerabilities for details.
More Info
AppArmor, like most other LSMs, supplements rather than replaces the default Discretionary access control. As such it's impossible to grant a process more privileges than it had in the first place.
Ubuntu, SUSE and a number of other distributions use it by default. RHEL (and it's variants) use SELinux which requires good userspace integration to work properly. People tend to agree that it is also much much harder to configure correctly.
Taking a common example - A new Flash vulnerability: If you were to browse to a malicious website AppArmor can prevent the exploited plugin from accessing anything that may contain private information. In almost all browsers, plugins run out of process which makes isolating them much easier.
AppArmor profiles (usually) get stored in easy to read text files in /etc/apparmor.d
Every breach of policy triggers a message in the system log, and many distributions also integrate it into DBUS so that you get real-time violation warnings popping up on your desktop.
Links
- Official pages
- http://www.kernel.org/pub/linux/security/apparmor/AppArmor-2.6/
- http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference
- http://ubuntuforums.org/showthread.php?t=1008906 (Tutorial)
- https://help.ubuntu.com/community/AppArmor
- FS#21406
- http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt
- http://wiki.apparmor.net/index.php/Kernel_interfaces
- http://wiki.apparmor.net/index.php/AppArmor_versions
- http://manpages.ubuntu.com/manpages/oneiric/man5/apparmor.d.5.html
- http://manpages.ubuntu.com/manpages/oneiric/man8/apparmor_parser.8.html
- http://wiki.apparmor.net/index.php/Distro_CentOS
- http://bodhizazen.net/aa-profiles/
- https://wiki.ubuntu.com/ApparmorProfileMigration
- wikipedia:Linux_Security_Modules
- http://wiki.apparmor.net/index.php/Gittutorial