What is apparmor?

What it is

Apparmor is a Mandatory Access Control (or MAC) system. It uses LSM kernel enhancements to restrict programs to certain resources. AppArmor does this with profiles loaded into the kernel when the system starts. Apparmor has two types of profile modes, enforcement and complain. Profiles in enforcement mode enforce that profile's rules and report violation attempts in syslog or auditd. Profiles in complain mode don't enforce any profile rules, just log violation attempts.

In Ubuntu Apparmor is installed by default. It confines applications to profiles to determine what files and permissions that a program needs access to. Some applications will come with their own properties and more can be found in the apparmor-profiles package.

You can install apparmor-profiles by running sudo apt-get install apparmor-profiles.

I found a good example of Apparmor on the Ubuntu forums that I rewrote for this post.

Apparmor is a security framework that prevents applications from turning evil. For example: If I run Firefox and visit a bad site that tries to install malware that will delete my home folder, Apparmor has limits on Firefox though preventing it from doing anything I don't want (like accessing my music, documents, etc). This way even if your application is compromised, no harm can be done.

How it works

The apparmor-utils package contains command line tools for configuring Apparmor. Using it you can change Apparmor's execution mode, find the status of a profile create new profiles, etc.

These are the most common commands:

Note: Profiles are stored in /etc/apparmor.d/

  • You can check Apparmor's status with sudo apparmor_status. You will get a list of all profiles * loaded, all profiles in enforce mode, all profiles in complain mode, what processes are defined in enforce/complain, etc.
  • To put a profile in complain mode you use sudo aa-complain /path/to/bin, where /path/to/bin is the programs bin folder. For example, running: sudo aa-complain /usr/bin/firefox will put Firefox in complain mode.
  • You use sudo aa-enforce /path/to/bin to enforce a programs profile.
  • You can load all profiles into complain/enforce modes with sudo aa-complain /etc/apparmor.d/* and sudo aa-enforce.d/* respectively.

To load a profile into the kernel you would use apparmor_parser. You can reload profiles using the -r parameter.

  • To load a profile use: cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a, which effectively prints the contents of profile.name into Apparmor's parser.
  • To reload a profile you use the -r parameter, like so: cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r
  • To reload all of Apparmor's profiles use: sudo service apparmor reload

To disable a profile you link it to /etc/apparmor.d/disable/ using ln like this: sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/ then run: sudo apparmor_parser -R /etc/apparmor.d/profile.name.

Note: Do not confuse apparmor_parser -r with apparmor_parser -R THEY ARE NOT THE SAME THING!

  • To re-enable a profile, remove the symbolic link to it in /etc/apparmor.d/disable/ then load it using the -a parameter. sudo rm /etc/apparmor.d/disable/profile.name cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
  • You can disable Apparmor with sudo service apparmor stop and remove the kernel module using sudo update-rc.d -f apparmor defaults
  • Start Apparmor with sudo service apparmor start and load kernel modules with sudo update-rc.d apparmor defaults

Profiles

Profiles are stored in /etc/apparmor.d/ and are named after the full path to the executable they profile, replacing '/' with '.'. For example /etc/apparmor.d/bin.ping is the profile for ping in /bin.

There are two main types of entries used in profiles:

  1. Path Entries determine what files an application can access.

  2. Capability entries determine what privileges a process can use.

Lets look at the profile for ping, located in etc/apparmor.d/bin.ping, as an example.

#include <tunables/global>
/bin/ping flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>

  capability net_raw,
  capability setuid,
  network inet raw,

  /bin/ping mixr,
  /etc/modules.conf r,
}  

#include <tunables/global> Includes the file global in the directory tunables, this allows statements pertaining to multiple applications to be placed in a common file.

/bin/ping flags=(complain)sets the path to the profiled program and sets the mode to complain.

capability net_raw allows the application access to the CAP_NET_RAW Posix.1e capability.

/bin/ping mixr allows the application read and execute access to the file.

/etc/modules.conf r, The r gives the application read privileges for /etc/modules.conf

Note: After creating/editing a profile, you need to reload the profile for changes to take effect.

Here is a list of permissions you can use:

  • r - read
  • w - write
  • ux - Unconstrained Execute
  • Ux - Unconstrained Execute -- scrub the environment
  • px - Discrete profile execute
  • Px - Discrete profile execute -- scrub the environment
  • ix - Inherit execute
  • m - allow PROT_EXEC with mmap(2) calls
  • l - link

Sources

  • http://ubuntuforums.org/showthread.php?t=1606499
  • http://ubuntuforums.org/showthread.php?t=1008906
  • https://wiki.ubuntu.com/AppArmor
  • https://help.ubuntu.com/12.10/serverguide/apparmor.html

AppArmor is a Mandatory Access Control (MAC) system which is a kernel (LSM) enhancement to confine programs to a limited set of resources. AppArmor's security model is to bind access control attributes to programs rather than to users. AppArmor confinement is provided via profiles loaded into the kernel, typically on boot. AppArmor profiles can be in one of two modes: enforcement and complain. Profiles loaded in enforcement mode will result in enforcement of the policy defined in the profile as well as reporting policy violation attempts (either via syslog or auditd). Profiles in complain mode will not enforce policy but instead report policy violation attempts.

AppArmor is different from some other MAC systems on Linux in that it is path-based, allows for mixing of enforcement and complain mode profiles, uses include files to ease development and has a far lower barrier to entry than other popular MAC systems.

AppArmor is an established technology first seen in Immunix, and later integrated into Ubuntu, Novell/SUSE, and Mandriva. Core AppArmor functionality is in the mainline Linux kernel from 2.6.36 onwards; work is ongoing by AppArmor, Ubuntu and other developers to merge additional AppArmor functionality into the mainline kernel.

I got few More helpful Links to you : Wiki.Ubuntu.com Ubuntuforums.org

Apparmor guides for Ubuntu 12.04 & Ubuntu 12.10

Hope that will help you.