What is apparmor?
I hear a lot of talk about apparmor, I want to know the following:
- What is apparmor?
- How does apparmor work?
security apparmor
add a comment |
I hear a lot of talk about apparmor, I want to know the following:
- What is apparmor?
- How does apparmor work?
security apparmor
add a comment |
I hear a lot of talk about apparmor, I want to know the following:
- What is apparmor?
- How does apparmor work?
security apparmor
I hear a lot of talk about apparmor, I want to know the following:
- What is apparmor?
- How does apparmor work?
security apparmor
security apparmor
edited Jul 30 '14 at 0:39
Seth♦
34.3k26110162
34.3k26110162
asked Jan 5 '13 at 2:09
AlvarAlvar
11.6k2678126
11.6k2678126
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
What it is
Apparmor is a Mandatory Access Control (or MAC) system. It uses LSM kernel enhancements to restrict programs to certain resources. AppArmor does this with profiles loaded into the kernel when the system starts. Apparmor has two types of profile modes, enforcement and complain. Profiles in enforcement mode enforce that profile's rules and report violation attempts in syslog
or auditd
. Profiles in complain mode don't enforce any profile rules, just log violation attempts.
In Ubuntu Apparmor is installed by default. It confines applications to profiles to determine what files and permissions that a program needs access to. Some applications will come with their own properties and more can be found in the apparmor-profiles
package.
You can install apparmor-profiles
by running sudo apt-get install apparmor-profiles
.
I found a good example of Apparmor on the Ubuntu forums that I rewrote for this post.
Apparmor is a security framework that prevents applications from turning evil. For example: If I run Firefox and visit a bad site that tries to install malware that will delete my
home
folder, Apparmor has limits on Firefox though preventing it from doing anything I don't want (like accessing my music, documents, etc). This way even if your application is compromised, no harm can be done.
How it works
The apparmor-utils
package contains command line tools for configuring Apparmor. Using it you can change Apparmor's execution mode, find the status of a profile create new profiles, etc.
These are the most common commands:
Note: Profiles are stored in /etc/apparmor.d/
- You can check Apparmor's status with
sudo apparmor_status
. You will get a list of all profiles * loaded, all profiles in enforce mode, all profiles in complain mode, what processes are defined in enforce/complain, etc. - To put a profile in complain mode you use
sudo aa-complain /path/to/bin
, where/path/to/bin
is the programsbin
folder. For example, running:sudo aa-complain /usr/bin/firefox
will put Firefox in complain mode. - You use
sudo aa-enforce /path/to/bin
to enforce a programs profile. - You can load all profiles into complain/enforce modes with
sudo aa-complain /etc/apparmor.d/*
andsudo aa-enforce.d/*
respectively.
To load a profile into the kernel you would use apparmor_parser
. You can reload profiles using the -r
parameter.
- To load a profile use:
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
, which effectively prints the contents ofprofile.name
into Apparmor's parser. - To reload a profile you use the
-r
parameter, like so:cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r
- To reload all of Apparmor's profiles use:
sudo service apparmor reload
To disable a profile you link it to /etc/apparmor.d/disable/
using ln
like this: sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/
then run: sudo apparmor_parser -R /etc/apparmor.d/profile.name
.
Note: Do not confuse apparmor_parser -r
with apparmor_parser -R
THEY ARE NOT THE SAME THING!
- To re-enable a profile, remove the symbolic link to it in
/etc/apparmor.d/disable/
then load it using the-a
parameter.sudo rm /etc/apparmor.d/disable/profile.name
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
- You can disable Apparmor with
sudo service apparmor stop
and remove the kernel module usingsudo update-rc.d -f apparmor defaults
- Start Apparmor with
sudo service apparmor start
and load kernel modules withsudo update-rc.d apparmor defaults
Profiles
Profiles are stored in /etc/apparmor.d/
and are named after the full path to the executable they profile, replacing '/' with '.'. For example /etc/apparmor.d/bin.ping
is the profile for ping
in /bin
.
There are two main types of entries used in profiles:
Path Entries determine what files an application can access.
Capability entries determine what privileges a process can use.
Lets look at the profile for ping
, located in etc/apparmor.d/bin.ping
, as an example.
#include <tunables/global>
/bin/ping flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
capability net_raw,
capability setuid,
network inet raw,
/bin/ping mixr,
/etc/modules.conf r,
}
#include <tunables/global>
Includes the file global
in the directory tunables
, this allows statements pertaining to multiple applications to be placed in a common file.
/bin/ping flags=(complain)
sets the path to the profiled program and sets the mode to complain.
capability net_raw
allows the application access to the CAP_NET_RAW Posix.1e
capability.
/bin/ping mixr
allows the application read and execute access to the file.
/etc/modules.conf r,
The r
gives the application read privileges for /etc/modules.conf
Note: After creating/editing a profile, you need to reload the profile for changes to take effect.
Here is a list of permissions you can use:
r
- read
w
- write
ux
- Unconstrained Execute
Ux
- Unconstrained Execute -- scrub the environment
px
- Discrete profile execute
Px
- Discrete profile execute -- scrub the environment
ix
- Inherit execute
m
- allowPROT_EXEC
withmmap(2)
calls
l
- link
Sources
http://ubuntuforums.org/showthread.php?t=1606499- http://ubuntuforums.org/showthread.php?t=1008906
- https://wiki.ubuntu.com/AppArmor
- https://help.ubuntu.com/12.10/serverguide/apparmor.html
So it's sort of like a program acting as a user, and not having the permissions to modify most of the files on the system?
– Izkata
Jan 5 '13 at 4:36
Yes and no. You set up a profile that defines what a certain applications can do. You then add programs to that profile and that limits what the programs in that profile are allowed to do. So its like a user because they can only access what the admin (you) says they can in the profile.
– Seth♦
Jan 5 '13 at 4:53
Ah, so profiles are like usergroups for programs ;)
– Izkata
Jan 5 '13 at 5:00
Yes alot like that ;)
– Seth♦
Jan 5 '13 at 5:03
Do you think, apparmor could be used to block every internet connection and say who is trying to access it? and based on that log we create permissions for each application? the idea is to make it work like Zonalarm on window$, and like old "firewalls per application" on linux like LeopardFlower and ProgramGuard (these seem not be compilable anymore I think), and there is also a new one called Douane and it uses a kernel module to make things work.
– Aquarius Power
Oct 8 '14 at 17:56
add a comment |
AppArmor is a Mandatory Access Control (MAC) system which is a kernel
(LSM) enhancement to confine programs to a limited set of resources.
AppArmor's security model is to bind access control attributes to
programs rather than to users. AppArmor confinement is provided via
profiles loaded into the kernel, typically on boot. AppArmor profiles
can be in one of two modes: enforcement and complain. Profiles loaded
in enforcement mode will result in enforcement of the policy defined
in the profile as well as reporting policy violation attempts (either
via syslog or auditd). Profiles in complain mode will not enforce
policy but instead report policy violation attempts.
AppArmor is different from some other MAC systems on Linux in that it
is path-based, allows for mixing of enforcement and complain mode
profiles, uses include files to ease development and has a far lower
barrier to entry than other popular MAC systems.
AppArmor is an established technology first seen in Immunix, and later
integrated into Ubuntu, Novell/SUSE, and Mandriva. Core AppArmor
functionality is in the mainline Linux kernel from 2.6.36 onwards;
work is ongoing by AppArmor, Ubuntu and other developers to merge
additional AppArmor functionality into the mainline kernel.
I got few More helpful Links to you : Wiki.Ubuntu.com Ubuntuforums.org
Apparmor guides for Ubuntu 12.04 & Ubuntu 12.10
Hope that will help you.
add a comment |
Here is a quote from the Apparmor wiki:
AppArmor is an effective and easy-to-use Linux application security system. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies completely define what system resources individual applications can access, and with what privileges. A number of default policies are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor policies for even very complex applications can be deployed successfully in a matter of hours.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f236381%2fwhat-is-apparmor%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
What it is
Apparmor is a Mandatory Access Control (or MAC) system. It uses LSM kernel enhancements to restrict programs to certain resources. AppArmor does this with profiles loaded into the kernel when the system starts. Apparmor has two types of profile modes, enforcement and complain. Profiles in enforcement mode enforce that profile's rules and report violation attempts in syslog
or auditd
. Profiles in complain mode don't enforce any profile rules, just log violation attempts.
In Ubuntu Apparmor is installed by default. It confines applications to profiles to determine what files and permissions that a program needs access to. Some applications will come with their own properties and more can be found in the apparmor-profiles
package.
You can install apparmor-profiles
by running sudo apt-get install apparmor-profiles
.
I found a good example of Apparmor on the Ubuntu forums that I rewrote for this post.
Apparmor is a security framework that prevents applications from turning evil. For example: If I run Firefox and visit a bad site that tries to install malware that will delete my
home
folder, Apparmor has limits on Firefox though preventing it from doing anything I don't want (like accessing my music, documents, etc). This way even if your application is compromised, no harm can be done.
How it works
The apparmor-utils
package contains command line tools for configuring Apparmor. Using it you can change Apparmor's execution mode, find the status of a profile create new profiles, etc.
These are the most common commands:
Note: Profiles are stored in /etc/apparmor.d/
- You can check Apparmor's status with
sudo apparmor_status
. You will get a list of all profiles * loaded, all profiles in enforce mode, all profiles in complain mode, what processes are defined in enforce/complain, etc. - To put a profile in complain mode you use
sudo aa-complain /path/to/bin
, where/path/to/bin
is the programsbin
folder. For example, running:sudo aa-complain /usr/bin/firefox
will put Firefox in complain mode. - You use
sudo aa-enforce /path/to/bin
to enforce a programs profile. - You can load all profiles into complain/enforce modes with
sudo aa-complain /etc/apparmor.d/*
andsudo aa-enforce.d/*
respectively.
To load a profile into the kernel you would use apparmor_parser
. You can reload profiles using the -r
parameter.
- To load a profile use:
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
, which effectively prints the contents ofprofile.name
into Apparmor's parser. - To reload a profile you use the
-r
parameter, like so:cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r
- To reload all of Apparmor's profiles use:
sudo service apparmor reload
To disable a profile you link it to /etc/apparmor.d/disable/
using ln
like this: sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/
then run: sudo apparmor_parser -R /etc/apparmor.d/profile.name
.
Note: Do not confuse apparmor_parser -r
with apparmor_parser -R
THEY ARE NOT THE SAME THING!
- To re-enable a profile, remove the symbolic link to it in
/etc/apparmor.d/disable/
then load it using the-a
parameter.sudo rm /etc/apparmor.d/disable/profile.name
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
- You can disable Apparmor with
sudo service apparmor stop
and remove the kernel module usingsudo update-rc.d -f apparmor defaults
- Start Apparmor with
sudo service apparmor start
and load kernel modules withsudo update-rc.d apparmor defaults
Profiles
Profiles are stored in /etc/apparmor.d/
and are named after the full path to the executable they profile, replacing '/' with '.'. For example /etc/apparmor.d/bin.ping
is the profile for ping
in /bin
.
There are two main types of entries used in profiles:
Path Entries determine what files an application can access.
Capability entries determine what privileges a process can use.
Lets look at the profile for ping
, located in etc/apparmor.d/bin.ping
, as an example.
#include <tunables/global>
/bin/ping flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
capability net_raw,
capability setuid,
network inet raw,
/bin/ping mixr,
/etc/modules.conf r,
}
#include <tunables/global>
Includes the file global
in the directory tunables
, this allows statements pertaining to multiple applications to be placed in a common file.
/bin/ping flags=(complain)
sets the path to the profiled program and sets the mode to complain.
capability net_raw
allows the application access to the CAP_NET_RAW Posix.1e
capability.
/bin/ping mixr
allows the application read and execute access to the file.
/etc/modules.conf r,
The r
gives the application read privileges for /etc/modules.conf
Note: After creating/editing a profile, you need to reload the profile for changes to take effect.
Here is a list of permissions you can use:
r
- read
w
- write
ux
- Unconstrained Execute
Ux
- Unconstrained Execute -- scrub the environment
px
- Discrete profile execute
Px
- Discrete profile execute -- scrub the environment
ix
- Inherit execute
m
- allowPROT_EXEC
withmmap(2)
calls
l
- link
Sources
http://ubuntuforums.org/showthread.php?t=1606499- http://ubuntuforums.org/showthread.php?t=1008906
- https://wiki.ubuntu.com/AppArmor
- https://help.ubuntu.com/12.10/serverguide/apparmor.html
So it's sort of like a program acting as a user, and not having the permissions to modify most of the files on the system?
– Izkata
Jan 5 '13 at 4:36
Yes and no. You set up a profile that defines what a certain applications can do. You then add programs to that profile and that limits what the programs in that profile are allowed to do. So its like a user because they can only access what the admin (you) says they can in the profile.
– Seth♦
Jan 5 '13 at 4:53
Ah, so profiles are like usergroups for programs ;)
– Izkata
Jan 5 '13 at 5:00
Yes alot like that ;)
– Seth♦
Jan 5 '13 at 5:03
Do you think, apparmor could be used to block every internet connection and say who is trying to access it? and based on that log we create permissions for each application? the idea is to make it work like Zonalarm on window$, and like old "firewalls per application" on linux like LeopardFlower and ProgramGuard (these seem not be compilable anymore I think), and there is also a new one called Douane and it uses a kernel module to make things work.
– Aquarius Power
Oct 8 '14 at 17:56
add a comment |
What it is
Apparmor is a Mandatory Access Control (or MAC) system. It uses LSM kernel enhancements to restrict programs to certain resources. AppArmor does this with profiles loaded into the kernel when the system starts. Apparmor has two types of profile modes, enforcement and complain. Profiles in enforcement mode enforce that profile's rules and report violation attempts in syslog
or auditd
. Profiles in complain mode don't enforce any profile rules, just log violation attempts.
In Ubuntu Apparmor is installed by default. It confines applications to profiles to determine what files and permissions that a program needs access to. Some applications will come with their own properties and more can be found in the apparmor-profiles
package.
You can install apparmor-profiles
by running sudo apt-get install apparmor-profiles
.
I found a good example of Apparmor on the Ubuntu forums that I rewrote for this post.
Apparmor is a security framework that prevents applications from turning evil. For example: If I run Firefox and visit a bad site that tries to install malware that will delete my
home
folder, Apparmor has limits on Firefox though preventing it from doing anything I don't want (like accessing my music, documents, etc). This way even if your application is compromised, no harm can be done.
How it works
The apparmor-utils
package contains command line tools for configuring Apparmor. Using it you can change Apparmor's execution mode, find the status of a profile create new profiles, etc.
These are the most common commands:
Note: Profiles are stored in /etc/apparmor.d/
- You can check Apparmor's status with
sudo apparmor_status
. You will get a list of all profiles * loaded, all profiles in enforce mode, all profiles in complain mode, what processes are defined in enforce/complain, etc. - To put a profile in complain mode you use
sudo aa-complain /path/to/bin
, where/path/to/bin
is the programsbin
folder. For example, running:sudo aa-complain /usr/bin/firefox
will put Firefox in complain mode. - You use
sudo aa-enforce /path/to/bin
to enforce a programs profile. - You can load all profiles into complain/enforce modes with
sudo aa-complain /etc/apparmor.d/*
andsudo aa-enforce.d/*
respectively.
To load a profile into the kernel you would use apparmor_parser
. You can reload profiles using the -r
parameter.
- To load a profile use:
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
, which effectively prints the contents ofprofile.name
into Apparmor's parser. - To reload a profile you use the
-r
parameter, like so:cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r
- To reload all of Apparmor's profiles use:
sudo service apparmor reload
To disable a profile you link it to /etc/apparmor.d/disable/
using ln
like this: sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/
then run: sudo apparmor_parser -R /etc/apparmor.d/profile.name
.
Note: Do not confuse apparmor_parser -r
with apparmor_parser -R
THEY ARE NOT THE SAME THING!
- To re-enable a profile, remove the symbolic link to it in
/etc/apparmor.d/disable/
then load it using the-a
parameter.sudo rm /etc/apparmor.d/disable/profile.name
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
- You can disable Apparmor with
sudo service apparmor stop
and remove the kernel module usingsudo update-rc.d -f apparmor defaults
- Start Apparmor with
sudo service apparmor start
and load kernel modules withsudo update-rc.d apparmor defaults
Profiles
Profiles are stored in /etc/apparmor.d/
and are named after the full path to the executable they profile, replacing '/' with '.'. For example /etc/apparmor.d/bin.ping
is the profile for ping
in /bin
.
There are two main types of entries used in profiles:
Path Entries determine what files an application can access.
Capability entries determine what privileges a process can use.
Lets look at the profile for ping
, located in etc/apparmor.d/bin.ping
, as an example.
#include <tunables/global>
/bin/ping flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
capability net_raw,
capability setuid,
network inet raw,
/bin/ping mixr,
/etc/modules.conf r,
}
#include <tunables/global>
Includes the file global
in the directory tunables
, this allows statements pertaining to multiple applications to be placed in a common file.
/bin/ping flags=(complain)
sets the path to the profiled program and sets the mode to complain.
capability net_raw
allows the application access to the CAP_NET_RAW Posix.1e
capability.
/bin/ping mixr
allows the application read and execute access to the file.
/etc/modules.conf r,
The r
gives the application read privileges for /etc/modules.conf
Note: After creating/editing a profile, you need to reload the profile for changes to take effect.
Here is a list of permissions you can use:
r
- read
w
- write
ux
- Unconstrained Execute
Ux
- Unconstrained Execute -- scrub the environment
px
- Discrete profile execute
Px
- Discrete profile execute -- scrub the environment
ix
- Inherit execute
m
- allowPROT_EXEC
withmmap(2)
calls
l
- link
Sources
http://ubuntuforums.org/showthread.php?t=1606499- http://ubuntuforums.org/showthread.php?t=1008906
- https://wiki.ubuntu.com/AppArmor
- https://help.ubuntu.com/12.10/serverguide/apparmor.html
So it's sort of like a program acting as a user, and not having the permissions to modify most of the files on the system?
– Izkata
Jan 5 '13 at 4:36
Yes and no. You set up a profile that defines what a certain applications can do. You then add programs to that profile and that limits what the programs in that profile are allowed to do. So its like a user because they can only access what the admin (you) says they can in the profile.
– Seth♦
Jan 5 '13 at 4:53
Ah, so profiles are like usergroups for programs ;)
– Izkata
Jan 5 '13 at 5:00
Yes alot like that ;)
– Seth♦
Jan 5 '13 at 5:03
Do you think, apparmor could be used to block every internet connection and say who is trying to access it? and based on that log we create permissions for each application? the idea is to make it work like Zonalarm on window$, and like old "firewalls per application" on linux like LeopardFlower and ProgramGuard (these seem not be compilable anymore I think), and there is also a new one called Douane and it uses a kernel module to make things work.
– Aquarius Power
Oct 8 '14 at 17:56
add a comment |
What it is
Apparmor is a Mandatory Access Control (or MAC) system. It uses LSM kernel enhancements to restrict programs to certain resources. AppArmor does this with profiles loaded into the kernel when the system starts. Apparmor has two types of profile modes, enforcement and complain. Profiles in enforcement mode enforce that profile's rules and report violation attempts in syslog
or auditd
. Profiles in complain mode don't enforce any profile rules, just log violation attempts.
In Ubuntu Apparmor is installed by default. It confines applications to profiles to determine what files and permissions that a program needs access to. Some applications will come with their own properties and more can be found in the apparmor-profiles
package.
You can install apparmor-profiles
by running sudo apt-get install apparmor-profiles
.
I found a good example of Apparmor on the Ubuntu forums that I rewrote for this post.
Apparmor is a security framework that prevents applications from turning evil. For example: If I run Firefox and visit a bad site that tries to install malware that will delete my
home
folder, Apparmor has limits on Firefox though preventing it from doing anything I don't want (like accessing my music, documents, etc). This way even if your application is compromised, no harm can be done.
How it works
The apparmor-utils
package contains command line tools for configuring Apparmor. Using it you can change Apparmor's execution mode, find the status of a profile create new profiles, etc.
These are the most common commands:
Note: Profiles are stored in /etc/apparmor.d/
- You can check Apparmor's status with
sudo apparmor_status
. You will get a list of all profiles * loaded, all profiles in enforce mode, all profiles in complain mode, what processes are defined in enforce/complain, etc. - To put a profile in complain mode you use
sudo aa-complain /path/to/bin
, where/path/to/bin
is the programsbin
folder. For example, running:sudo aa-complain /usr/bin/firefox
will put Firefox in complain mode. - You use
sudo aa-enforce /path/to/bin
to enforce a programs profile. - You can load all profiles into complain/enforce modes with
sudo aa-complain /etc/apparmor.d/*
andsudo aa-enforce.d/*
respectively.
To load a profile into the kernel you would use apparmor_parser
. You can reload profiles using the -r
parameter.
- To load a profile use:
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
, which effectively prints the contents ofprofile.name
into Apparmor's parser. - To reload a profile you use the
-r
parameter, like so:cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r
- To reload all of Apparmor's profiles use:
sudo service apparmor reload
To disable a profile you link it to /etc/apparmor.d/disable/
using ln
like this: sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/
then run: sudo apparmor_parser -R /etc/apparmor.d/profile.name
.
Note: Do not confuse apparmor_parser -r
with apparmor_parser -R
THEY ARE NOT THE SAME THING!
- To re-enable a profile, remove the symbolic link to it in
/etc/apparmor.d/disable/
then load it using the-a
parameter.sudo rm /etc/apparmor.d/disable/profile.name
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
- You can disable Apparmor with
sudo service apparmor stop
and remove the kernel module usingsudo update-rc.d -f apparmor defaults
- Start Apparmor with
sudo service apparmor start
and load kernel modules withsudo update-rc.d apparmor defaults
Profiles
Profiles are stored in /etc/apparmor.d/
and are named after the full path to the executable they profile, replacing '/' with '.'. For example /etc/apparmor.d/bin.ping
is the profile for ping
in /bin
.
There are two main types of entries used in profiles:
Path Entries determine what files an application can access.
Capability entries determine what privileges a process can use.
Lets look at the profile for ping
, located in etc/apparmor.d/bin.ping
, as an example.
#include <tunables/global>
/bin/ping flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
capability net_raw,
capability setuid,
network inet raw,
/bin/ping mixr,
/etc/modules.conf r,
}
#include <tunables/global>
Includes the file global
in the directory tunables
, this allows statements pertaining to multiple applications to be placed in a common file.
/bin/ping flags=(complain)
sets the path to the profiled program and sets the mode to complain.
capability net_raw
allows the application access to the CAP_NET_RAW Posix.1e
capability.
/bin/ping mixr
allows the application read and execute access to the file.
/etc/modules.conf r,
The r
gives the application read privileges for /etc/modules.conf
Note: After creating/editing a profile, you need to reload the profile for changes to take effect.
Here is a list of permissions you can use:
r
- read
w
- write
ux
- Unconstrained Execute
Ux
- Unconstrained Execute -- scrub the environment
px
- Discrete profile execute
Px
- Discrete profile execute -- scrub the environment
ix
- Inherit execute
m
- allowPROT_EXEC
withmmap(2)
calls
l
- link
Sources
http://ubuntuforums.org/showthread.php?t=1606499- http://ubuntuforums.org/showthread.php?t=1008906
- https://wiki.ubuntu.com/AppArmor
- https://help.ubuntu.com/12.10/serverguide/apparmor.html
What it is
Apparmor is a Mandatory Access Control (or MAC) system. It uses LSM kernel enhancements to restrict programs to certain resources. AppArmor does this with profiles loaded into the kernel when the system starts. Apparmor has two types of profile modes, enforcement and complain. Profiles in enforcement mode enforce that profile's rules and report violation attempts in syslog
or auditd
. Profiles in complain mode don't enforce any profile rules, just log violation attempts.
In Ubuntu Apparmor is installed by default. It confines applications to profiles to determine what files and permissions that a program needs access to. Some applications will come with their own properties and more can be found in the apparmor-profiles
package.
You can install apparmor-profiles
by running sudo apt-get install apparmor-profiles
.
I found a good example of Apparmor on the Ubuntu forums that I rewrote for this post.
Apparmor is a security framework that prevents applications from turning evil. For example: If I run Firefox and visit a bad site that tries to install malware that will delete my
home
folder, Apparmor has limits on Firefox though preventing it from doing anything I don't want (like accessing my music, documents, etc). This way even if your application is compromised, no harm can be done.
How it works
The apparmor-utils
package contains command line tools for configuring Apparmor. Using it you can change Apparmor's execution mode, find the status of a profile create new profiles, etc.
These are the most common commands:
Note: Profiles are stored in /etc/apparmor.d/
- You can check Apparmor's status with
sudo apparmor_status
. You will get a list of all profiles * loaded, all profiles in enforce mode, all profiles in complain mode, what processes are defined in enforce/complain, etc. - To put a profile in complain mode you use
sudo aa-complain /path/to/bin
, where/path/to/bin
is the programsbin
folder. For example, running:sudo aa-complain /usr/bin/firefox
will put Firefox in complain mode. - You use
sudo aa-enforce /path/to/bin
to enforce a programs profile. - You can load all profiles into complain/enforce modes with
sudo aa-complain /etc/apparmor.d/*
andsudo aa-enforce.d/*
respectively.
To load a profile into the kernel you would use apparmor_parser
. You can reload profiles using the -r
parameter.
- To load a profile use:
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
, which effectively prints the contents ofprofile.name
into Apparmor's parser. - To reload a profile you use the
-r
parameter, like so:cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r
- To reload all of Apparmor's profiles use:
sudo service apparmor reload
To disable a profile you link it to /etc/apparmor.d/disable/
using ln
like this: sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/
then run: sudo apparmor_parser -R /etc/apparmor.d/profile.name
.
Note: Do not confuse apparmor_parser -r
with apparmor_parser -R
THEY ARE NOT THE SAME THING!
- To re-enable a profile, remove the symbolic link to it in
/etc/apparmor.d/disable/
then load it using the-a
parameter.sudo rm /etc/apparmor.d/disable/profile.name
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
- You can disable Apparmor with
sudo service apparmor stop
and remove the kernel module usingsudo update-rc.d -f apparmor defaults
- Start Apparmor with
sudo service apparmor start
and load kernel modules withsudo update-rc.d apparmor defaults
Profiles
Profiles are stored in /etc/apparmor.d/
and are named after the full path to the executable they profile, replacing '/' with '.'. For example /etc/apparmor.d/bin.ping
is the profile for ping
in /bin
.
There are two main types of entries used in profiles:
Path Entries determine what files an application can access.
Capability entries determine what privileges a process can use.
Lets look at the profile for ping
, located in etc/apparmor.d/bin.ping
, as an example.
#include <tunables/global>
/bin/ping flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
capability net_raw,
capability setuid,
network inet raw,
/bin/ping mixr,
/etc/modules.conf r,
}
#include <tunables/global>
Includes the file global
in the directory tunables
, this allows statements pertaining to multiple applications to be placed in a common file.
/bin/ping flags=(complain)
sets the path to the profiled program and sets the mode to complain.
capability net_raw
allows the application access to the CAP_NET_RAW Posix.1e
capability.
/bin/ping mixr
allows the application read and execute access to the file.
/etc/modules.conf r,
The r
gives the application read privileges for /etc/modules.conf
Note: After creating/editing a profile, you need to reload the profile for changes to take effect.
Here is a list of permissions you can use:
r
- read
w
- write
ux
- Unconstrained Execute
Ux
- Unconstrained Execute -- scrub the environment
px
- Discrete profile execute
Px
- Discrete profile execute -- scrub the environment
ix
- Inherit execute
m
- allowPROT_EXEC
withmmap(2)
calls
l
- link
Sources
http://ubuntuforums.org/showthread.php?t=1606499- http://ubuntuforums.org/showthread.php?t=1008906
- https://wiki.ubuntu.com/AppArmor
- https://help.ubuntu.com/12.10/serverguide/apparmor.html
edited Jan 13 at 6:20
Pablo Bianchi
2,4651531
2,4651531
answered Jan 5 '13 at 3:17
Seth♦Seth
34.3k26110162
34.3k26110162
So it's sort of like a program acting as a user, and not having the permissions to modify most of the files on the system?
– Izkata
Jan 5 '13 at 4:36
Yes and no. You set up a profile that defines what a certain applications can do. You then add programs to that profile and that limits what the programs in that profile are allowed to do. So its like a user because they can only access what the admin (you) says they can in the profile.
– Seth♦
Jan 5 '13 at 4:53
Ah, so profiles are like usergroups for programs ;)
– Izkata
Jan 5 '13 at 5:00
Yes alot like that ;)
– Seth♦
Jan 5 '13 at 5:03
Do you think, apparmor could be used to block every internet connection and say who is trying to access it? and based on that log we create permissions for each application? the idea is to make it work like Zonalarm on window$, and like old "firewalls per application" on linux like LeopardFlower and ProgramGuard (these seem not be compilable anymore I think), and there is also a new one called Douane and it uses a kernel module to make things work.
– Aquarius Power
Oct 8 '14 at 17:56
add a comment |
So it's sort of like a program acting as a user, and not having the permissions to modify most of the files on the system?
– Izkata
Jan 5 '13 at 4:36
Yes and no. You set up a profile that defines what a certain applications can do. You then add programs to that profile and that limits what the programs in that profile are allowed to do. So its like a user because they can only access what the admin (you) says they can in the profile.
– Seth♦
Jan 5 '13 at 4:53
Ah, so profiles are like usergroups for programs ;)
– Izkata
Jan 5 '13 at 5:00
Yes alot like that ;)
– Seth♦
Jan 5 '13 at 5:03
Do you think, apparmor could be used to block every internet connection and say who is trying to access it? and based on that log we create permissions for each application? the idea is to make it work like Zonalarm on window$, and like old "firewalls per application" on linux like LeopardFlower and ProgramGuard (these seem not be compilable anymore I think), and there is also a new one called Douane and it uses a kernel module to make things work.
– Aquarius Power
Oct 8 '14 at 17:56
So it's sort of like a program acting as a user, and not having the permissions to modify most of the files on the system?
– Izkata
Jan 5 '13 at 4:36
So it's sort of like a program acting as a user, and not having the permissions to modify most of the files on the system?
– Izkata
Jan 5 '13 at 4:36
Yes and no. You set up a profile that defines what a certain applications can do. You then add programs to that profile and that limits what the programs in that profile are allowed to do. So its like a user because they can only access what the admin (you) says they can in the profile.
– Seth♦
Jan 5 '13 at 4:53
Yes and no. You set up a profile that defines what a certain applications can do. You then add programs to that profile and that limits what the programs in that profile are allowed to do. So its like a user because they can only access what the admin (you) says they can in the profile.
– Seth♦
Jan 5 '13 at 4:53
Ah, so profiles are like usergroups for programs ;)
– Izkata
Jan 5 '13 at 5:00
Ah, so profiles are like usergroups for programs ;)
– Izkata
Jan 5 '13 at 5:00
Yes alot like that ;)
– Seth♦
Jan 5 '13 at 5:03
Yes alot like that ;)
– Seth♦
Jan 5 '13 at 5:03
Do you think, apparmor could be used to block every internet connection and say who is trying to access it? and based on that log we create permissions for each application? the idea is to make it work like Zonalarm on window$, and like old "firewalls per application" on linux like LeopardFlower and ProgramGuard (these seem not be compilable anymore I think), and there is also a new one called Douane and it uses a kernel module to make things work.
– Aquarius Power
Oct 8 '14 at 17:56
Do you think, apparmor could be used to block every internet connection and say who is trying to access it? and based on that log we create permissions for each application? the idea is to make it work like Zonalarm on window$, and like old "firewalls per application" on linux like LeopardFlower and ProgramGuard (these seem not be compilable anymore I think), and there is also a new one called Douane and it uses a kernel module to make things work.
– Aquarius Power
Oct 8 '14 at 17:56
add a comment |
AppArmor is a Mandatory Access Control (MAC) system which is a kernel
(LSM) enhancement to confine programs to a limited set of resources.
AppArmor's security model is to bind access control attributes to
programs rather than to users. AppArmor confinement is provided via
profiles loaded into the kernel, typically on boot. AppArmor profiles
can be in one of two modes: enforcement and complain. Profiles loaded
in enforcement mode will result in enforcement of the policy defined
in the profile as well as reporting policy violation attempts (either
via syslog or auditd). Profiles in complain mode will not enforce
policy but instead report policy violation attempts.
AppArmor is different from some other MAC systems on Linux in that it
is path-based, allows for mixing of enforcement and complain mode
profiles, uses include files to ease development and has a far lower
barrier to entry than other popular MAC systems.
AppArmor is an established technology first seen in Immunix, and later
integrated into Ubuntu, Novell/SUSE, and Mandriva. Core AppArmor
functionality is in the mainline Linux kernel from 2.6.36 onwards;
work is ongoing by AppArmor, Ubuntu and other developers to merge
additional AppArmor functionality into the mainline kernel.
I got few More helpful Links to you : Wiki.Ubuntu.com Ubuntuforums.org
Apparmor guides for Ubuntu 12.04 & Ubuntu 12.10
Hope that will help you.
add a comment |
AppArmor is a Mandatory Access Control (MAC) system which is a kernel
(LSM) enhancement to confine programs to a limited set of resources.
AppArmor's security model is to bind access control attributes to
programs rather than to users. AppArmor confinement is provided via
profiles loaded into the kernel, typically on boot. AppArmor profiles
can be in one of two modes: enforcement and complain. Profiles loaded
in enforcement mode will result in enforcement of the policy defined
in the profile as well as reporting policy violation attempts (either
via syslog or auditd). Profiles in complain mode will not enforce
policy but instead report policy violation attempts.
AppArmor is different from some other MAC systems on Linux in that it
is path-based, allows for mixing of enforcement and complain mode
profiles, uses include files to ease development and has a far lower
barrier to entry than other popular MAC systems.
AppArmor is an established technology first seen in Immunix, and later
integrated into Ubuntu, Novell/SUSE, and Mandriva. Core AppArmor
functionality is in the mainline Linux kernel from 2.6.36 onwards;
work is ongoing by AppArmor, Ubuntu and other developers to merge
additional AppArmor functionality into the mainline kernel.
I got few More helpful Links to you : Wiki.Ubuntu.com Ubuntuforums.org
Apparmor guides for Ubuntu 12.04 & Ubuntu 12.10
Hope that will help you.
add a comment |
AppArmor is a Mandatory Access Control (MAC) system which is a kernel
(LSM) enhancement to confine programs to a limited set of resources.
AppArmor's security model is to bind access control attributes to
programs rather than to users. AppArmor confinement is provided via
profiles loaded into the kernel, typically on boot. AppArmor profiles
can be in one of two modes: enforcement and complain. Profiles loaded
in enforcement mode will result in enforcement of the policy defined
in the profile as well as reporting policy violation attempts (either
via syslog or auditd). Profiles in complain mode will not enforce
policy but instead report policy violation attempts.
AppArmor is different from some other MAC systems on Linux in that it
is path-based, allows for mixing of enforcement and complain mode
profiles, uses include files to ease development and has a far lower
barrier to entry than other popular MAC systems.
AppArmor is an established technology first seen in Immunix, and later
integrated into Ubuntu, Novell/SUSE, and Mandriva. Core AppArmor
functionality is in the mainline Linux kernel from 2.6.36 onwards;
work is ongoing by AppArmor, Ubuntu and other developers to merge
additional AppArmor functionality into the mainline kernel.
I got few More helpful Links to you : Wiki.Ubuntu.com Ubuntuforums.org
Apparmor guides for Ubuntu 12.04 & Ubuntu 12.10
Hope that will help you.
AppArmor is a Mandatory Access Control (MAC) system which is a kernel
(LSM) enhancement to confine programs to a limited set of resources.
AppArmor's security model is to bind access control attributes to
programs rather than to users. AppArmor confinement is provided via
profiles loaded into the kernel, typically on boot. AppArmor profiles
can be in one of two modes: enforcement and complain. Profiles loaded
in enforcement mode will result in enforcement of the policy defined
in the profile as well as reporting policy violation attempts (either
via syslog or auditd). Profiles in complain mode will not enforce
policy but instead report policy violation attempts.
AppArmor is different from some other MAC systems on Linux in that it
is path-based, allows for mixing of enforcement and complain mode
profiles, uses include files to ease development and has a far lower
barrier to entry than other popular MAC systems.
AppArmor is an established technology first seen in Immunix, and later
integrated into Ubuntu, Novell/SUSE, and Mandriva. Core AppArmor
functionality is in the mainline Linux kernel from 2.6.36 onwards;
work is ongoing by AppArmor, Ubuntu and other developers to merge
additional AppArmor functionality into the mainline kernel.
I got few More helpful Links to you : Wiki.Ubuntu.com Ubuntuforums.org
Apparmor guides for Ubuntu 12.04 & Ubuntu 12.10
Hope that will help you.
answered Jan 5 '13 at 3:13
rɑːdʒɑrɑːdʒɑ
57.4k85217301
57.4k85217301
add a comment |
add a comment |
Here is a quote from the Apparmor wiki:
AppArmor is an effective and easy-to-use Linux application security system. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies completely define what system resources individual applications can access, and with what privileges. A number of default policies are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor policies for even very complex applications can be deployed successfully in a matter of hours.
add a comment |
Here is a quote from the Apparmor wiki:
AppArmor is an effective and easy-to-use Linux application security system. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies completely define what system resources individual applications can access, and with what privileges. A number of default policies are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor policies for even very complex applications can be deployed successfully in a matter of hours.
add a comment |
Here is a quote from the Apparmor wiki:
AppArmor is an effective and easy-to-use Linux application security system. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies completely define what system resources individual applications can access, and with what privileges. A number of default policies are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor policies for even very complex applications can be deployed successfully in a matter of hours.
Here is a quote from the Apparmor wiki:
AppArmor is an effective and easy-to-use Linux application security system. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies completely define what system resources individual applications can access, and with what privileges. A number of default policies are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor policies for even very complex applications can be deployed successfully in a matter of hours.
edited Jan 10 '13 at 1:26
Eric Carvalho
41.5k17114146
41.5k17114146
answered Jan 9 '13 at 7:09
Adeline DaleAdeline Dale
392
392
add a comment |
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f236381%2fwhat-is-apparmor%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown