AppArmor
AppArmor is a Mandatory Access Control (MAC) system, implemented upon the Linux Security Modules (LSM).
Contents
Installation
Kernel
When compiling the kernel, it needs the following options:
CONFIG_SECURITY_APPARMOR=y CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 CONFIG_DEFAULT_SECURITY_APPARMOR=y
Instead of setting CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE
and CONFIG_DEFAULT_SECURITY_APPARMOR
, you can also set kernel boot parameters: apparmor=1 security=apparmor
.
There also is a stock kernel with AppArmor in the AUR: linux-apparmorAUR. However, as of May 2015, the kernel is outdated.
Userspace Tools
The userspace tools and libraries to control AppArmor are supplied by the apparmorAUR package from the AUR.
The package is a split package which consists of following sub-packages:
- apparmor (meta package)
- apparmor-libapparmor
- apparmor-utils
- apparmor-parser
- apparmor-profiles
- apparmor-pam
- apparmor-vim
To load all AppArmor profiles on startup, the apparmorAUR package includes a systemd unit:
# systemctl enable apparmor
Testing
After reboot you can test if AppArmor is really enabled using this command as root:
# cat /sys/module/apparmor/parameters/enabled Y
(Y=enabled, N=disabled, no such file = module not in kernel)
Disabling
To disable AppArmor temporarily, you can add apparmor=0 security=""
to the kernel boot parameters.
Alternatively run
# systemctl stop apparmor.service
to disable it for the current session.
Creating new profiles
To create new profiles using aa-genprof
, auditd.service
from the package audit must be running.
Be sure to stop the service afterwards (and maybe clear /var/log/audit/audit.log
) because it causes overhead.
Security considerations
Preventing circumvention of path-based MAC via links
AppArmor can be circumvented via hardlinks in the standard POSIX security model. However, the kernel now includes the ability to prevent this vulnerability, without needing the patches distributions like Ubuntu have applied to their kernels as workarounds.
See Security#Preventing link TOCTOU vulnerabilities for details.
Tips and tricks
Get desktop notification on DENIED actions
To get a notification on your desktop whenever AppArmor enters a "DENIED" log entry start the notify daemon by
# aa-notify -p --display $DISPLAY
This daemon must be started at each boot.
More Info
AppArmor, like most other LSMs, supplements rather than replaces the default Discretionary access control. As such it's impossible to grant a process more privileges than it had in the first place.
Ubuntu, SUSE and a number of other distributions use it by default. RHEL (and it's variants) use SELinux which requires good userspace integration to work properly. People tend to agree that it is also much much harder to configure correctly.
Taking a common example - A new Flash vulnerability: If you were to browse to a malicious website AppArmor can prevent the exploited plugin from accessing anything that may contain private information. In almost all browsers, plugins run out of process which makes isolating them much easier.
AppArmor profiles (usually) get stored in easy to read text files in /etc/apparmor.d
Every breach of policy triggers a message in the system log, and many distributions also integrate it into DBUS so that you get real-time violation warnings popping up on your desktop.
Links
- Official pages
- http://www.kernel.org/pub/linux/security/apparmor/AppArmor-2.6/
- http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference
- http://ubuntuforums.org/showthread.php?t=1008906 (Tutorial)
- https://help.ubuntu.com/community/AppArmor
- FS#21406
- http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt
- http://wiki.apparmor.net/index.php/Kernel_interfaces
- http://wiki.apparmor.net/index.php/AppArmor_versions
- http://manpages.ubuntu.com/manpages/oneiric/man5/apparmor.d.5.html
- http://manpages.ubuntu.com/manpages/oneiric/man8/apparmor_parser.8.html
- http://wiki.apparmor.net/index.php/Distro_CentOS
- http://bodhizazen.net/aa-profiles/
- https://wiki.ubuntu.com/ApparmorProfileMigration
- wikipedia:Linux Security Modules
- http://wiki.apparmor.net/index.php/Gittutorial