What is apparmor?












92















I hear a lot of talk about apparmor, I want to know the following:




  • What is apparmor?

  • How does apparmor work?










share|improve this question





























    92















    I hear a lot of talk about apparmor, I want to know the following:




    • What is apparmor?

    • How does apparmor work?










    share|improve this question



























      92












      92








      92


      29






      I hear a lot of talk about apparmor, I want to know the following:




      • What is apparmor?

      • How does apparmor work?










      share|improve this question
















      I hear a lot of talk about apparmor, I want to know the following:




      • What is apparmor?

      • How does apparmor work?







      security apparmor






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jul 30 '14 at 0:39









      Seth

      34.3k26110162




      34.3k26110162










      asked Jan 5 '13 at 2:09









      AlvarAlvar

      11.6k2678126




      11.6k2678126






















          3 Answers
          3






          active

          oldest

          votes


















          89





          +200









          What it is



          Apparmor is a Mandatory Access Control (or MAC) system. It uses LSM kernel enhancements to restrict programs to certain resources. AppArmor does this with profiles loaded into the kernel when the system starts. Apparmor has two types of profile modes, enforcement and complain. Profiles in enforcement mode enforce that profile's rules and report violation attempts in syslog or auditd. Profiles in complain mode don't enforce any profile rules, just log violation attempts.



          In Ubuntu Apparmor is installed by default. It confines applications to profiles to determine what files and permissions that a program needs access to. Some applications will come with their own properties and more can be found in the apparmor-profiles package.



          You can install apparmor-profiles by running sudo apt-get install apparmor-profiles.



          I found a good example of Apparmor on the Ubuntu forums that I rewrote for this post.




          Apparmor is a security framework that prevents applications from turning evil. For example: If I run Firefox and visit a bad site that tries to install malware that will delete my home folder, Apparmor has limits on Firefox though preventing it from doing anything I don't want (like accessing my music, documents, etc). This way even if your application is compromised, no harm can be done.




          How it works



          The apparmor-utils package contains command line tools for configuring Apparmor. Using it you can change Apparmor's execution mode, find the status of a profile create new profiles, etc.



          These are the most common commands:



          Note: Profiles are stored in /etc/apparmor.d/




          • You can check Apparmor's status with sudo apparmor_status. You will get a list of all profiles * loaded, all profiles in enforce mode, all profiles in complain mode, what processes are defined in enforce/complain, etc.

          • To put a profile in complain mode you use sudo aa-complain /path/to/bin, where /path/to/bin is the programs bin folder. For example, running: sudo aa-complain /usr/bin/firefox will put Firefox in complain mode.

          • You use sudo aa-enforce /path/to/bin to enforce a programs profile.

          • You can load all profiles into complain/enforce modes with sudo aa-complain /etc/apparmor.d/* and sudo aa-enforce.d/* respectively.


          To load a profile into the kernel you would use apparmor_parser. You can reload profiles using the -r parameter.




          • To load a profile use: cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a, which effectively prints the contents of profile.name into Apparmor's parser.

          • To reload a profile you use the -r parameter, like so: cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r

          • To reload all of Apparmor's profiles use: sudo service apparmor reload


          To disable a profile you link it to /etc/apparmor.d/disable/ using ln like this: sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/ then run: sudo apparmor_parser -R /etc/apparmor.d/profile.name.



          Note: Do not confuse apparmor_parser -r with apparmor_parser -R THEY ARE NOT THE SAME THING!




          • To re-enable a profile, remove the symbolic link to it in /etc/apparmor.d/disable/ then load it using the -a parameter. sudo rm /etc/apparmor.d/disable/profile.name cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a

          • You can disable Apparmor with sudo service apparmor stop and remove the kernel module using sudo update-rc.d -f apparmor defaults

          • Start Apparmor with sudo service apparmor start and load kernel modules with sudo update-rc.d apparmor defaults


          Profiles



          Profiles are stored in /etc/apparmor.d/ and are named after the full path to the executable they profile, replacing '/' with '.'. For example /etc/apparmor.d/bin.ping is the profile for ping in /bin.



          There are two main types of entries used in profiles:




          1. Path Entries determine what files an application can access.


          2. Capability entries determine what privileges a process can use.



          Lets look at the profile for ping, located in etc/apparmor.d/bin.ping, as an example.



          #include <tunables/global>
          /bin/ping flags=(complain) {
          #include <abstractions/base>
          #include <abstractions/consoles>
          #include <abstractions/nameservice>

          capability net_raw,
          capability setuid,
          network inet raw,

          /bin/ping mixr,
          /etc/modules.conf r,
          }


          #include <tunables/global> Includes the file global in the directory tunables, this allows statements pertaining to multiple applications to be placed in a common file.



          /bin/ping flags=(complain)sets the path to the profiled program and sets the mode to complain.



          capability net_raw allows the application access to the CAP_NET_RAW Posix.1e capability.



          /bin/ping mixr allows the application read and execute access to the file.



          /etc/modules.conf r, The r gives the application read privileges for /etc/modules.conf



          Note: After creating/editing a profile, you need to reload the profile for changes to take effect.



          Here is a list of permissions you can use:





          • r - read


          • w - write


          • ux - Unconstrained Execute


          • Ux - Unconstrained Execute -- scrub the environment


          • px - Discrete profile execute


          • Px - Discrete profile execute -- scrub the environment


          • ix - Inherit execute


          • m - allow PROT_EXEC with mmap(2) calls


          • l - link


          Sources





          • http://ubuntuforums.org/showthread.php?t=1606499

          • http://ubuntuforums.org/showthread.php?t=1008906

          • https://wiki.ubuntu.com/AppArmor

          • https://help.ubuntu.com/12.10/serverguide/apparmor.html






          share|improve this answer


























          • So it's sort of like a program acting as a user, and not having the permissions to modify most of the files on the system?

            – Izkata
            Jan 5 '13 at 4:36











          • Yes and no. You set up a profile that defines what a certain applications can do. You then add programs to that profile and that limits what the programs in that profile are allowed to do. So its like a user because they can only access what the admin (you) says they can in the profile.

            – Seth
            Jan 5 '13 at 4:53













          • Ah, so profiles are like usergroups for programs ;)

            – Izkata
            Jan 5 '13 at 5:00











          • Yes alot like that ;)

            – Seth
            Jan 5 '13 at 5:03











          • Do you think, apparmor could be used to block every internet connection and say who is trying to access it? and based on that log we create permissions for each application? the idea is to make it work like Zonalarm on window$, and like old "firewalls per application" on linux like LeopardFlower and ProgramGuard (these seem not be compilable anymore I think), and there is also a new one called Douane and it uses a kernel module to make things work.

            – Aquarius Power
            Oct 8 '14 at 17:56



















          6















          AppArmor is a Mandatory Access Control (MAC) system which is a kernel
          (LSM) enhancement to confine programs to a limited set of resources.
          AppArmor's security model is to bind access control attributes to
          programs rather than to users. AppArmor confinement is provided via
          profiles loaded into the kernel, typically on boot. AppArmor profiles
          can be in one of two modes: enforcement and complain. Profiles loaded
          in enforcement mode will result in enforcement of the policy defined
          in the profile as well as reporting policy violation attempts (either
          via syslog or auditd). Profiles in complain mode will not enforce
          policy but instead report policy violation attempts.



          AppArmor is different from some other MAC systems on Linux in that it
          is path-based, allows for mixing of enforcement and complain mode
          profiles, uses include files to ease development and has a far lower
          barrier to entry than other popular MAC systems.



          AppArmor is an established technology first seen in Immunix, and later
          integrated into Ubuntu, Novell/SUSE, and Mandriva. Core AppArmor
          functionality is in the mainline Linux kernel from 2.6.36 onwards;
          work is ongoing by AppArmor, Ubuntu and other developers to merge
          additional AppArmor functionality into the mainline kernel.




          I got few More helpful Links to you : Wiki.Ubuntu.com Ubuntuforums.org



          Apparmor guides for Ubuntu 12.04 & Ubuntu 12.10



          Hope that will help you.






          share|improve this answer































            3














            Here is a quote from the Apparmor wiki:




            AppArmor is an effective and easy-to-use Linux application security system. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies completely define what system resources individual applications can access, and with what privileges. A number of default policies are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor policies for even very complex applications can be deployed successfully in a matter of hours.







            share|improve this answer

























              Your Answer








              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "89"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: true,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: 10,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });














              draft saved

              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f236381%2fwhat-is-apparmor%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              3 Answers
              3






              active

              oldest

              votes








              3 Answers
              3






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              89





              +200









              What it is



              Apparmor is a Mandatory Access Control (or MAC) system. It uses LSM kernel enhancements to restrict programs to certain resources. AppArmor does this with profiles loaded into the kernel when the system starts. Apparmor has two types of profile modes, enforcement and complain. Profiles in enforcement mode enforce that profile's rules and report violation attempts in syslog or auditd. Profiles in complain mode don't enforce any profile rules, just log violation attempts.



              In Ubuntu Apparmor is installed by default. It confines applications to profiles to determine what files and permissions that a program needs access to. Some applications will come with their own properties and more can be found in the apparmor-profiles package.



              You can install apparmor-profiles by running sudo apt-get install apparmor-profiles.



              I found a good example of Apparmor on the Ubuntu forums that I rewrote for this post.




              Apparmor is a security framework that prevents applications from turning evil. For example: If I run Firefox and visit a bad site that tries to install malware that will delete my home folder, Apparmor has limits on Firefox though preventing it from doing anything I don't want (like accessing my music, documents, etc). This way even if your application is compromised, no harm can be done.




              How it works



              The apparmor-utils package contains command line tools for configuring Apparmor. Using it you can change Apparmor's execution mode, find the status of a profile create new profiles, etc.



              These are the most common commands:



              Note: Profiles are stored in /etc/apparmor.d/




              • You can check Apparmor's status with sudo apparmor_status. You will get a list of all profiles * loaded, all profiles in enforce mode, all profiles in complain mode, what processes are defined in enforce/complain, etc.

              • To put a profile in complain mode you use sudo aa-complain /path/to/bin, where /path/to/bin is the programs bin folder. For example, running: sudo aa-complain /usr/bin/firefox will put Firefox in complain mode.

              • You use sudo aa-enforce /path/to/bin to enforce a programs profile.

              • You can load all profiles into complain/enforce modes with sudo aa-complain /etc/apparmor.d/* and sudo aa-enforce.d/* respectively.


              To load a profile into the kernel you would use apparmor_parser. You can reload profiles using the -r parameter.




              • To load a profile use: cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a, which effectively prints the contents of profile.name into Apparmor's parser.

              • To reload a profile you use the -r parameter, like so: cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r

              • To reload all of Apparmor's profiles use: sudo service apparmor reload


              To disable a profile you link it to /etc/apparmor.d/disable/ using ln like this: sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/ then run: sudo apparmor_parser -R /etc/apparmor.d/profile.name.



              Note: Do not confuse apparmor_parser -r with apparmor_parser -R THEY ARE NOT THE SAME THING!




              • To re-enable a profile, remove the symbolic link to it in /etc/apparmor.d/disable/ then load it using the -a parameter. sudo rm /etc/apparmor.d/disable/profile.name cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a

              • You can disable Apparmor with sudo service apparmor stop and remove the kernel module using sudo update-rc.d -f apparmor defaults

              • Start Apparmor with sudo service apparmor start and load kernel modules with sudo update-rc.d apparmor defaults


              Profiles



              Profiles are stored in /etc/apparmor.d/ and are named after the full path to the executable they profile, replacing '/' with '.'. For example /etc/apparmor.d/bin.ping is the profile for ping in /bin.



              There are two main types of entries used in profiles:




              1. Path Entries determine what files an application can access.


              2. Capability entries determine what privileges a process can use.



              Lets look at the profile for ping, located in etc/apparmor.d/bin.ping, as an example.



              #include <tunables/global>
              /bin/ping flags=(complain) {
              #include <abstractions/base>
              #include <abstractions/consoles>
              #include <abstractions/nameservice>

              capability net_raw,
              capability setuid,
              network inet raw,

              /bin/ping mixr,
              /etc/modules.conf r,
              }


              #include <tunables/global> Includes the file global in the directory tunables, this allows statements pertaining to multiple applications to be placed in a common file.



              /bin/ping flags=(complain)sets the path to the profiled program and sets the mode to complain.



              capability net_raw allows the application access to the CAP_NET_RAW Posix.1e capability.



              /bin/ping mixr allows the application read and execute access to the file.



              /etc/modules.conf r, The r gives the application read privileges for /etc/modules.conf



              Note: After creating/editing a profile, you need to reload the profile for changes to take effect.



              Here is a list of permissions you can use:





              • r - read


              • w - write


              • ux - Unconstrained Execute


              • Ux - Unconstrained Execute -- scrub the environment


              • px - Discrete profile execute


              • Px - Discrete profile execute -- scrub the environment


              • ix - Inherit execute


              • m - allow PROT_EXEC with mmap(2) calls


              • l - link


              Sources





              • http://ubuntuforums.org/showthread.php?t=1606499

              • http://ubuntuforums.org/showthread.php?t=1008906

              • https://wiki.ubuntu.com/AppArmor

              • https://help.ubuntu.com/12.10/serverguide/apparmor.html






              share|improve this answer


























              • So it's sort of like a program acting as a user, and not having the permissions to modify most of the files on the system?

                – Izkata
                Jan 5 '13 at 4:36











              • Yes and no. You set up a profile that defines what a certain applications can do. You then add programs to that profile and that limits what the programs in that profile are allowed to do. So its like a user because they can only access what the admin (you) says they can in the profile.

                – Seth
                Jan 5 '13 at 4:53













              • Ah, so profiles are like usergroups for programs ;)

                – Izkata
                Jan 5 '13 at 5:00











              • Yes alot like that ;)

                – Seth
                Jan 5 '13 at 5:03











              • Do you think, apparmor could be used to block every internet connection and say who is trying to access it? and based on that log we create permissions for each application? the idea is to make it work like Zonalarm on window$, and like old "firewalls per application" on linux like LeopardFlower and ProgramGuard (these seem not be compilable anymore I think), and there is also a new one called Douane and it uses a kernel module to make things work.

                – Aquarius Power
                Oct 8 '14 at 17:56
















              89





              +200









              What it is



              Apparmor is a Mandatory Access Control (or MAC) system. It uses LSM kernel enhancements to restrict programs to certain resources. AppArmor does this with profiles loaded into the kernel when the system starts. Apparmor has two types of profile modes, enforcement and complain. Profiles in enforcement mode enforce that profile's rules and report violation attempts in syslog or auditd. Profiles in complain mode don't enforce any profile rules, just log violation attempts.



              In Ubuntu Apparmor is installed by default. It confines applications to profiles to determine what files and permissions that a program needs access to. Some applications will come with their own properties and more can be found in the apparmor-profiles package.



              You can install apparmor-profiles by running sudo apt-get install apparmor-profiles.



              I found a good example of Apparmor on the Ubuntu forums that I rewrote for this post.




              Apparmor is a security framework that prevents applications from turning evil. For example: If I run Firefox and visit a bad site that tries to install malware that will delete my home folder, Apparmor has limits on Firefox though preventing it from doing anything I don't want (like accessing my music, documents, etc). This way even if your application is compromised, no harm can be done.




              How it works



              The apparmor-utils package contains command line tools for configuring Apparmor. Using it you can change Apparmor's execution mode, find the status of a profile create new profiles, etc.



              These are the most common commands:



              Note: Profiles are stored in /etc/apparmor.d/




              • You can check Apparmor's status with sudo apparmor_status. You will get a list of all profiles * loaded, all profiles in enforce mode, all profiles in complain mode, what processes are defined in enforce/complain, etc.

              • To put a profile in complain mode you use sudo aa-complain /path/to/bin, where /path/to/bin is the programs bin folder. For example, running: sudo aa-complain /usr/bin/firefox will put Firefox in complain mode.

              • You use sudo aa-enforce /path/to/bin to enforce a programs profile.

              • You can load all profiles into complain/enforce modes with sudo aa-complain /etc/apparmor.d/* and sudo aa-enforce.d/* respectively.


              To load a profile into the kernel you would use apparmor_parser. You can reload profiles using the -r parameter.




              • To load a profile use: cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a, which effectively prints the contents of profile.name into Apparmor's parser.

              • To reload a profile you use the -r parameter, like so: cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r

              • To reload all of Apparmor's profiles use: sudo service apparmor reload


              To disable a profile you link it to /etc/apparmor.d/disable/ using ln like this: sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/ then run: sudo apparmor_parser -R /etc/apparmor.d/profile.name.



              Note: Do not confuse apparmor_parser -r with apparmor_parser -R THEY ARE NOT THE SAME THING!




              • To re-enable a profile, remove the symbolic link to it in /etc/apparmor.d/disable/ then load it using the -a parameter. sudo rm /etc/apparmor.d/disable/profile.name cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a

              • You can disable Apparmor with sudo service apparmor stop and remove the kernel module using sudo update-rc.d -f apparmor defaults

              • Start Apparmor with sudo service apparmor start and load kernel modules with sudo update-rc.d apparmor defaults


              Profiles



              Profiles are stored in /etc/apparmor.d/ and are named after the full path to the executable they profile, replacing '/' with '.'. For example /etc/apparmor.d/bin.ping is the profile for ping in /bin.



              There are two main types of entries used in profiles:




              1. Path Entries determine what files an application can access.


              2. Capability entries determine what privileges a process can use.



              Lets look at the profile for ping, located in etc/apparmor.d/bin.ping, as an example.



              #include <tunables/global>
              /bin/ping flags=(complain) {
              #include <abstractions/base>
              #include <abstractions/consoles>
              #include <abstractions/nameservice>

              capability net_raw,
              capability setuid,
              network inet raw,

              /bin/ping mixr,
              /etc/modules.conf r,
              }


              #include <tunables/global> Includes the file global in the directory tunables, this allows statements pertaining to multiple applications to be placed in a common file.



              /bin/ping flags=(complain)sets the path to the profiled program and sets the mode to complain.



              capability net_raw allows the application access to the CAP_NET_RAW Posix.1e capability.



              /bin/ping mixr allows the application read and execute access to the file.



              /etc/modules.conf r, The r gives the application read privileges for /etc/modules.conf



              Note: After creating/editing a profile, you need to reload the profile for changes to take effect.



              Here is a list of permissions you can use:





              • r - read


              • w - write


              • ux - Unconstrained Execute


              • Ux - Unconstrained Execute -- scrub the environment


              • px - Discrete profile execute


              • Px - Discrete profile execute -- scrub the environment


              • ix - Inherit execute


              • m - allow PROT_EXEC with mmap(2) calls


              • l - link


              Sources





              • http://ubuntuforums.org/showthread.php?t=1606499

              • http://ubuntuforums.org/showthread.php?t=1008906

              • https://wiki.ubuntu.com/AppArmor

              • https://help.ubuntu.com/12.10/serverguide/apparmor.html






              share|improve this answer


























              • So it's sort of like a program acting as a user, and not having the permissions to modify most of the files on the system?

                – Izkata
                Jan 5 '13 at 4:36











              • Yes and no. You set up a profile that defines what a certain applications can do. You then add programs to that profile and that limits what the programs in that profile are allowed to do. So its like a user because they can only access what the admin (you) says they can in the profile.

                – Seth
                Jan 5 '13 at 4:53













              • Ah, so profiles are like usergroups for programs ;)

                – Izkata
                Jan 5 '13 at 5:00











              • Yes alot like that ;)

                – Seth
                Jan 5 '13 at 5:03











              • Do you think, apparmor could be used to block every internet connection and say who is trying to access it? and based on that log we create permissions for each application? the idea is to make it work like Zonalarm on window$, and like old "firewalls per application" on linux like LeopardFlower and ProgramGuard (these seem not be compilable anymore I think), and there is also a new one called Douane and it uses a kernel module to make things work.

                – Aquarius Power
                Oct 8 '14 at 17:56














              89





              +200







              89





              +200



              89




              +200





              What it is



              Apparmor is a Mandatory Access Control (or MAC) system. It uses LSM kernel enhancements to restrict programs to certain resources. AppArmor does this with profiles loaded into the kernel when the system starts. Apparmor has two types of profile modes, enforcement and complain. Profiles in enforcement mode enforce that profile's rules and report violation attempts in syslog or auditd. Profiles in complain mode don't enforce any profile rules, just log violation attempts.



              In Ubuntu Apparmor is installed by default. It confines applications to profiles to determine what files and permissions that a program needs access to. Some applications will come with their own properties and more can be found in the apparmor-profiles package.



              You can install apparmor-profiles by running sudo apt-get install apparmor-profiles.



              I found a good example of Apparmor on the Ubuntu forums that I rewrote for this post.




              Apparmor is a security framework that prevents applications from turning evil. For example: If I run Firefox and visit a bad site that tries to install malware that will delete my home folder, Apparmor has limits on Firefox though preventing it from doing anything I don't want (like accessing my music, documents, etc). This way even if your application is compromised, no harm can be done.




              How it works



              The apparmor-utils package contains command line tools for configuring Apparmor. Using it you can change Apparmor's execution mode, find the status of a profile create new profiles, etc.



              These are the most common commands:



              Note: Profiles are stored in /etc/apparmor.d/




              • You can check Apparmor's status with sudo apparmor_status. You will get a list of all profiles * loaded, all profiles in enforce mode, all profiles in complain mode, what processes are defined in enforce/complain, etc.

              • To put a profile in complain mode you use sudo aa-complain /path/to/bin, where /path/to/bin is the programs bin folder. For example, running: sudo aa-complain /usr/bin/firefox will put Firefox in complain mode.

              • You use sudo aa-enforce /path/to/bin to enforce a programs profile.

              • You can load all profiles into complain/enforce modes with sudo aa-complain /etc/apparmor.d/* and sudo aa-enforce.d/* respectively.


              To load a profile into the kernel you would use apparmor_parser. You can reload profiles using the -r parameter.




              • To load a profile use: cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a, which effectively prints the contents of profile.name into Apparmor's parser.

              • To reload a profile you use the -r parameter, like so: cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r

              • To reload all of Apparmor's profiles use: sudo service apparmor reload


              To disable a profile you link it to /etc/apparmor.d/disable/ using ln like this: sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/ then run: sudo apparmor_parser -R /etc/apparmor.d/profile.name.



              Note: Do not confuse apparmor_parser -r with apparmor_parser -R THEY ARE NOT THE SAME THING!




              • To re-enable a profile, remove the symbolic link to it in /etc/apparmor.d/disable/ then load it using the -a parameter. sudo rm /etc/apparmor.d/disable/profile.name cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a

              • You can disable Apparmor with sudo service apparmor stop and remove the kernel module using sudo update-rc.d -f apparmor defaults

              • Start Apparmor with sudo service apparmor start and load kernel modules with sudo update-rc.d apparmor defaults


              Profiles



              Profiles are stored in /etc/apparmor.d/ and are named after the full path to the executable they profile, replacing '/' with '.'. For example /etc/apparmor.d/bin.ping is the profile for ping in /bin.



              There are two main types of entries used in profiles:




              1. Path Entries determine what files an application can access.


              2. Capability entries determine what privileges a process can use.



              Lets look at the profile for ping, located in etc/apparmor.d/bin.ping, as an example.



              #include <tunables/global>
              /bin/ping flags=(complain) {
              #include <abstractions/base>
              #include <abstractions/consoles>
              #include <abstractions/nameservice>

              capability net_raw,
              capability setuid,
              network inet raw,

              /bin/ping mixr,
              /etc/modules.conf r,
              }


              #include <tunables/global> Includes the file global in the directory tunables, this allows statements pertaining to multiple applications to be placed in a common file.



              /bin/ping flags=(complain)sets the path to the profiled program and sets the mode to complain.



              capability net_raw allows the application access to the CAP_NET_RAW Posix.1e capability.



              /bin/ping mixr allows the application read and execute access to the file.



              /etc/modules.conf r, The r gives the application read privileges for /etc/modules.conf



              Note: After creating/editing a profile, you need to reload the profile for changes to take effect.



              Here is a list of permissions you can use:





              • r - read


              • w - write


              • ux - Unconstrained Execute


              • Ux - Unconstrained Execute -- scrub the environment


              • px - Discrete profile execute


              • Px - Discrete profile execute -- scrub the environment


              • ix - Inherit execute


              • m - allow PROT_EXEC with mmap(2) calls


              • l - link


              Sources





              • http://ubuntuforums.org/showthread.php?t=1606499

              • http://ubuntuforums.org/showthread.php?t=1008906

              • https://wiki.ubuntu.com/AppArmor

              • https://help.ubuntu.com/12.10/serverguide/apparmor.html






              share|improve this answer















              What it is



              Apparmor is a Mandatory Access Control (or MAC) system. It uses LSM kernel enhancements to restrict programs to certain resources. AppArmor does this with profiles loaded into the kernel when the system starts. Apparmor has two types of profile modes, enforcement and complain. Profiles in enforcement mode enforce that profile's rules and report violation attempts in syslog or auditd. Profiles in complain mode don't enforce any profile rules, just log violation attempts.



              In Ubuntu Apparmor is installed by default. It confines applications to profiles to determine what files and permissions that a program needs access to. Some applications will come with their own properties and more can be found in the apparmor-profiles package.



              You can install apparmor-profiles by running sudo apt-get install apparmor-profiles.



              I found a good example of Apparmor on the Ubuntu forums that I rewrote for this post.




              Apparmor is a security framework that prevents applications from turning evil. For example: If I run Firefox and visit a bad site that tries to install malware that will delete my home folder, Apparmor has limits on Firefox though preventing it from doing anything I don't want (like accessing my music, documents, etc). This way even if your application is compromised, no harm can be done.




              How it works



              The apparmor-utils package contains command line tools for configuring Apparmor. Using it you can change Apparmor's execution mode, find the status of a profile create new profiles, etc.



              These are the most common commands:



              Note: Profiles are stored in /etc/apparmor.d/




              • You can check Apparmor's status with sudo apparmor_status. You will get a list of all profiles * loaded, all profiles in enforce mode, all profiles in complain mode, what processes are defined in enforce/complain, etc.

              • To put a profile in complain mode you use sudo aa-complain /path/to/bin, where /path/to/bin is the programs bin folder. For example, running: sudo aa-complain /usr/bin/firefox will put Firefox in complain mode.

              • You use sudo aa-enforce /path/to/bin to enforce a programs profile.

              • You can load all profiles into complain/enforce modes with sudo aa-complain /etc/apparmor.d/* and sudo aa-enforce.d/* respectively.


              To load a profile into the kernel you would use apparmor_parser. You can reload profiles using the -r parameter.




              • To load a profile use: cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a, which effectively prints the contents of profile.name into Apparmor's parser.

              • To reload a profile you use the -r parameter, like so: cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r

              • To reload all of Apparmor's profiles use: sudo service apparmor reload


              To disable a profile you link it to /etc/apparmor.d/disable/ using ln like this: sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/ then run: sudo apparmor_parser -R /etc/apparmor.d/profile.name.



              Note: Do not confuse apparmor_parser -r with apparmor_parser -R THEY ARE NOT THE SAME THING!




              • To re-enable a profile, remove the symbolic link to it in /etc/apparmor.d/disable/ then load it using the -a parameter. sudo rm /etc/apparmor.d/disable/profile.name cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a

              • You can disable Apparmor with sudo service apparmor stop and remove the kernel module using sudo update-rc.d -f apparmor defaults

              • Start Apparmor with sudo service apparmor start and load kernel modules with sudo update-rc.d apparmor defaults


              Profiles



              Profiles are stored in /etc/apparmor.d/ and are named after the full path to the executable they profile, replacing '/' with '.'. For example /etc/apparmor.d/bin.ping is the profile for ping in /bin.



              There are two main types of entries used in profiles:




              1. Path Entries determine what files an application can access.


              2. Capability entries determine what privileges a process can use.



              Lets look at the profile for ping, located in etc/apparmor.d/bin.ping, as an example.



              #include <tunables/global>
              /bin/ping flags=(complain) {
              #include <abstractions/base>
              #include <abstractions/consoles>
              #include <abstractions/nameservice>

              capability net_raw,
              capability setuid,
              network inet raw,

              /bin/ping mixr,
              /etc/modules.conf r,
              }


              #include <tunables/global> Includes the file global in the directory tunables, this allows statements pertaining to multiple applications to be placed in a common file.



              /bin/ping flags=(complain)sets the path to the profiled program and sets the mode to complain.



              capability net_raw allows the application access to the CAP_NET_RAW Posix.1e capability.



              /bin/ping mixr allows the application read and execute access to the file.



              /etc/modules.conf r, The r gives the application read privileges for /etc/modules.conf



              Note: After creating/editing a profile, you need to reload the profile for changes to take effect.



              Here is a list of permissions you can use:





              • r - read


              • w - write


              • ux - Unconstrained Execute


              • Ux - Unconstrained Execute -- scrub the environment


              • px - Discrete profile execute


              • Px - Discrete profile execute -- scrub the environment


              • ix - Inherit execute


              • m - allow PROT_EXEC with mmap(2) calls


              • l - link


              Sources





              • http://ubuntuforums.org/showthread.php?t=1606499

              • http://ubuntuforums.org/showthread.php?t=1008906

              • https://wiki.ubuntu.com/AppArmor

              • https://help.ubuntu.com/12.10/serverguide/apparmor.html







              share|improve this answer














              share|improve this answer



              share|improve this answer








              edited Jan 13 at 6:20









              Pablo Bianchi

              2,4651531




              2,4651531










              answered Jan 5 '13 at 3:17









              SethSeth

              34.3k26110162




              34.3k26110162













              • So it's sort of like a program acting as a user, and not having the permissions to modify most of the files on the system?

                – Izkata
                Jan 5 '13 at 4:36











              • Yes and no. You set up a profile that defines what a certain applications can do. You then add programs to that profile and that limits what the programs in that profile are allowed to do. So its like a user because they can only access what the admin (you) says they can in the profile.

                – Seth
                Jan 5 '13 at 4:53













              • Ah, so profiles are like usergroups for programs ;)

                – Izkata
                Jan 5 '13 at 5:00











              • Yes alot like that ;)

                – Seth
                Jan 5 '13 at 5:03











              • Do you think, apparmor could be used to block every internet connection and say who is trying to access it? and based on that log we create permissions for each application? the idea is to make it work like Zonalarm on window$, and like old "firewalls per application" on linux like LeopardFlower and ProgramGuard (these seem not be compilable anymore I think), and there is also a new one called Douane and it uses a kernel module to make things work.

                – Aquarius Power
                Oct 8 '14 at 17:56



















              • So it's sort of like a program acting as a user, and not having the permissions to modify most of the files on the system?

                – Izkata
                Jan 5 '13 at 4:36











              • Yes and no. You set up a profile that defines what a certain applications can do. You then add programs to that profile and that limits what the programs in that profile are allowed to do. So its like a user because they can only access what the admin (you) says they can in the profile.

                – Seth
                Jan 5 '13 at 4:53













              • Ah, so profiles are like usergroups for programs ;)

                – Izkata
                Jan 5 '13 at 5:00











              • Yes alot like that ;)

                – Seth
                Jan 5 '13 at 5:03











              • Do you think, apparmor could be used to block every internet connection and say who is trying to access it? and based on that log we create permissions for each application? the idea is to make it work like Zonalarm on window$, and like old "firewalls per application" on linux like LeopardFlower and ProgramGuard (these seem not be compilable anymore I think), and there is also a new one called Douane and it uses a kernel module to make things work.

                – Aquarius Power
                Oct 8 '14 at 17:56

















              So it's sort of like a program acting as a user, and not having the permissions to modify most of the files on the system?

              – Izkata
              Jan 5 '13 at 4:36





              So it's sort of like a program acting as a user, and not having the permissions to modify most of the files on the system?

              – Izkata
              Jan 5 '13 at 4:36













              Yes and no. You set up a profile that defines what a certain applications can do. You then add programs to that profile and that limits what the programs in that profile are allowed to do. So its like a user because they can only access what the admin (you) says they can in the profile.

              – Seth
              Jan 5 '13 at 4:53







              Yes and no. You set up a profile that defines what a certain applications can do. You then add programs to that profile and that limits what the programs in that profile are allowed to do. So its like a user because they can only access what the admin (you) says they can in the profile.

              – Seth
              Jan 5 '13 at 4:53















              Ah, so profiles are like usergroups for programs ;)

              – Izkata
              Jan 5 '13 at 5:00





              Ah, so profiles are like usergroups for programs ;)

              – Izkata
              Jan 5 '13 at 5:00













              Yes alot like that ;)

              – Seth
              Jan 5 '13 at 5:03





              Yes alot like that ;)

              – Seth
              Jan 5 '13 at 5:03













              Do you think, apparmor could be used to block every internet connection and say who is trying to access it? and based on that log we create permissions for each application? the idea is to make it work like Zonalarm on window$, and like old "firewalls per application" on linux like LeopardFlower and ProgramGuard (these seem not be compilable anymore I think), and there is also a new one called Douane and it uses a kernel module to make things work.

              – Aquarius Power
              Oct 8 '14 at 17:56





              Do you think, apparmor could be used to block every internet connection and say who is trying to access it? and based on that log we create permissions for each application? the idea is to make it work like Zonalarm on window$, and like old "firewalls per application" on linux like LeopardFlower and ProgramGuard (these seem not be compilable anymore I think), and there is also a new one called Douane and it uses a kernel module to make things work.

              – Aquarius Power
              Oct 8 '14 at 17:56













              6















              AppArmor is a Mandatory Access Control (MAC) system which is a kernel
              (LSM) enhancement to confine programs to a limited set of resources.
              AppArmor's security model is to bind access control attributes to
              programs rather than to users. AppArmor confinement is provided via
              profiles loaded into the kernel, typically on boot. AppArmor profiles
              can be in one of two modes: enforcement and complain. Profiles loaded
              in enforcement mode will result in enforcement of the policy defined
              in the profile as well as reporting policy violation attempts (either
              via syslog or auditd). Profiles in complain mode will not enforce
              policy but instead report policy violation attempts.



              AppArmor is different from some other MAC systems on Linux in that it
              is path-based, allows for mixing of enforcement and complain mode
              profiles, uses include files to ease development and has a far lower
              barrier to entry than other popular MAC systems.



              AppArmor is an established technology first seen in Immunix, and later
              integrated into Ubuntu, Novell/SUSE, and Mandriva. Core AppArmor
              functionality is in the mainline Linux kernel from 2.6.36 onwards;
              work is ongoing by AppArmor, Ubuntu and other developers to merge
              additional AppArmor functionality into the mainline kernel.




              I got few More helpful Links to you : Wiki.Ubuntu.com Ubuntuforums.org



              Apparmor guides for Ubuntu 12.04 & Ubuntu 12.10



              Hope that will help you.






              share|improve this answer




























                6















                AppArmor is a Mandatory Access Control (MAC) system which is a kernel
                (LSM) enhancement to confine programs to a limited set of resources.
                AppArmor's security model is to bind access control attributes to
                programs rather than to users. AppArmor confinement is provided via
                profiles loaded into the kernel, typically on boot. AppArmor profiles
                can be in one of two modes: enforcement and complain. Profiles loaded
                in enforcement mode will result in enforcement of the policy defined
                in the profile as well as reporting policy violation attempts (either
                via syslog or auditd). Profiles in complain mode will not enforce
                policy but instead report policy violation attempts.



                AppArmor is different from some other MAC systems on Linux in that it
                is path-based, allows for mixing of enforcement and complain mode
                profiles, uses include files to ease development and has a far lower
                barrier to entry than other popular MAC systems.



                AppArmor is an established technology first seen in Immunix, and later
                integrated into Ubuntu, Novell/SUSE, and Mandriva. Core AppArmor
                functionality is in the mainline Linux kernel from 2.6.36 onwards;
                work is ongoing by AppArmor, Ubuntu and other developers to merge
                additional AppArmor functionality into the mainline kernel.




                I got few More helpful Links to you : Wiki.Ubuntu.com Ubuntuforums.org



                Apparmor guides for Ubuntu 12.04 & Ubuntu 12.10



                Hope that will help you.






                share|improve this answer


























                  6












                  6








                  6








                  AppArmor is a Mandatory Access Control (MAC) system which is a kernel
                  (LSM) enhancement to confine programs to a limited set of resources.
                  AppArmor's security model is to bind access control attributes to
                  programs rather than to users. AppArmor confinement is provided via
                  profiles loaded into the kernel, typically on boot. AppArmor profiles
                  can be in one of two modes: enforcement and complain. Profiles loaded
                  in enforcement mode will result in enforcement of the policy defined
                  in the profile as well as reporting policy violation attempts (either
                  via syslog or auditd). Profiles in complain mode will not enforce
                  policy but instead report policy violation attempts.



                  AppArmor is different from some other MAC systems on Linux in that it
                  is path-based, allows for mixing of enforcement and complain mode
                  profiles, uses include files to ease development and has a far lower
                  barrier to entry than other popular MAC systems.



                  AppArmor is an established technology first seen in Immunix, and later
                  integrated into Ubuntu, Novell/SUSE, and Mandriva. Core AppArmor
                  functionality is in the mainline Linux kernel from 2.6.36 onwards;
                  work is ongoing by AppArmor, Ubuntu and other developers to merge
                  additional AppArmor functionality into the mainline kernel.




                  I got few More helpful Links to you : Wiki.Ubuntu.com Ubuntuforums.org



                  Apparmor guides for Ubuntu 12.04 & Ubuntu 12.10



                  Hope that will help you.






                  share|improve this answer














                  AppArmor is a Mandatory Access Control (MAC) system which is a kernel
                  (LSM) enhancement to confine programs to a limited set of resources.
                  AppArmor's security model is to bind access control attributes to
                  programs rather than to users. AppArmor confinement is provided via
                  profiles loaded into the kernel, typically on boot. AppArmor profiles
                  can be in one of two modes: enforcement and complain. Profiles loaded
                  in enforcement mode will result in enforcement of the policy defined
                  in the profile as well as reporting policy violation attempts (either
                  via syslog or auditd). Profiles in complain mode will not enforce
                  policy but instead report policy violation attempts.



                  AppArmor is different from some other MAC systems on Linux in that it
                  is path-based, allows for mixing of enforcement and complain mode
                  profiles, uses include files to ease development and has a far lower
                  barrier to entry than other popular MAC systems.



                  AppArmor is an established technology first seen in Immunix, and later
                  integrated into Ubuntu, Novell/SUSE, and Mandriva. Core AppArmor
                  functionality is in the mainline Linux kernel from 2.6.36 onwards;
                  work is ongoing by AppArmor, Ubuntu and other developers to merge
                  additional AppArmor functionality into the mainline kernel.




                  I got few More helpful Links to you : Wiki.Ubuntu.com Ubuntuforums.org



                  Apparmor guides for Ubuntu 12.04 & Ubuntu 12.10



                  Hope that will help you.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Jan 5 '13 at 3:13









                  rɑːdʒɑrɑːdʒɑ

                  57.4k85217301




                  57.4k85217301























                      3














                      Here is a quote from the Apparmor wiki:




                      AppArmor is an effective and easy-to-use Linux application security system. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies completely define what system resources individual applications can access, and with what privileges. A number of default policies are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor policies for even very complex applications can be deployed successfully in a matter of hours.







                      share|improve this answer






























                        3














                        Here is a quote from the Apparmor wiki:




                        AppArmor is an effective and easy-to-use Linux application security system. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies completely define what system resources individual applications can access, and with what privileges. A number of default policies are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor policies for even very complex applications can be deployed successfully in a matter of hours.







                        share|improve this answer




























                          3












                          3








                          3







                          Here is a quote from the Apparmor wiki:




                          AppArmor is an effective and easy-to-use Linux application security system. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies completely define what system resources individual applications can access, and with what privileges. A number of default policies are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor policies for even very complex applications can be deployed successfully in a matter of hours.







                          share|improve this answer















                          Here is a quote from the Apparmor wiki:




                          AppArmor is an effective and easy-to-use Linux application security system. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies completely define what system resources individual applications can access, and with what privileges. A number of default policies are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor policies for even very complex applications can be deployed successfully in a matter of hours.








                          share|improve this answer














                          share|improve this answer



                          share|improve this answer








                          edited Jan 10 '13 at 1:26









                          Eric Carvalho

                          41.5k17114146




                          41.5k17114146










                          answered Jan 9 '13 at 7:09









                          Adeline DaleAdeline Dale

                          392




                          392






























                              draft saved

                              draft discarded




















































                              Thanks for contributing an answer to Ask Ubuntu!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid



                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.


                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f236381%2fwhat-is-apparmor%23new-answer', 'question_page');
                              }
                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              How to make a Squid Proxy server?

                              Is this a new Fibonacci Identity?

                              19世紀