Gentoo AppArmor Guide

+ +1 +2012-07-10 + + +Introduction + +

+ +

+AppArmor is a Linux Security Module implementation, working around the concept of adding rules to file paths. +

+For each file path you specify, AppArmor will permit it only the permissions you grant. +

+# ------------------------------------------------------------------
+#    Copyright (C) 2002-2009 Novell/SUSE
+#    Copyright (C) 2010 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/sbin/klogd {
+  #include <abstractions/base>
+
+  capability sys_admin, # for backward compatibility with kernel <= 2.6.37
+  capability syslog,
+
+  network inet stream,
+
+  /boot/System.map*     r,
+  @{PROC}/kmsg          r,
+  @{PROC}/kallsyms      r,
+  /dev/tty              rw,
+
+  /sbin/klogd           rmix,
+  /var/log/boot.msg     rwl,
+  /{,var/}run/klogd.pid    krwl,
+  /{,var/}run/klogd/klogd.pid krwl,
+  /{,var/}run/klogd/kmsg   r,
+}
+

+ +

+ + + + +Initial setup + +

+Kernel patching + +

+From Linux 3.4, improved AppArmor support has been merged into the kernel. For the best experience, however, +it is recommended to patch your kernel with additional support. Without patching, it will only be possible to activate +profiles - deactivation, listing, init script etc. will not work. +

+The required patches are included in the AppArmor tarball. If you are using a grsec enabled kernel, such as hardened-sources, +the patches will not cleanly apply. For convenience, a rebased version of the patches is +available. +

+ +

+Install utilities + +

+The AppArmor userspace utilities currently live in the +Hardened development overlay. +You should install layman, and then add the hardened-dev overlay: + +

+# layman -a hardened-dev
+# emerge apparmor-utils
+You will probably also wish to install some profiles to get started:
+# emerge apparmor-profiles
+

+ +

+Further configuration + +

+You may wish to edit the configuation files located in /etc/apparmor, however +the default values will suit most users. +

+ +

+ + + + +Working with profiles + +

+ +

+Profiles are stored as simple text files in /etc/apparmor.d. They may take any name, and may be stored +in subdirectories - you may organise them however it suits you. +

+ +

+/etc/apparmor.d $ ls
+abstractions  program-chunks  usr.lib.apache2.mpm-prefork.apache2  usr.lib.dovecot.managesieve-login  usr.sbin.dovecot  usr.sbin.nscd
+apache2.d     sbin.klogd      usr.lib.dovecot.deliver              usr.lib.dovecot.pop3               usr.sbin.identd   usr.sbin.ntpd
+bin.ping      sbin.syslog-ng  usr.lib.dovecot.dovecot-auth         usr.lib.dovecot.pop3-login         usr.sbin.lspci    usr.sbin.smbd
+disable       sbin.syslogd    usr.lib.dovecot.imap                 usr.sbin.avahi-daemon              usr.sbin.mdnsd    usr.sbin.smbldap-useradd
+local         tunables        usr.lib.dovecot.imap-login           usr.sbin.dnsmasq                   usr.sbin.nmbd     usr.sbin.traceroute
+

+ +

+Profiles are referred to by name, including any parent subdirectories if present. +

+ +

+Manual control + + +

+To activate a profile, simply set it to enforce mode. +

+# aa-enforce usr.sbin.dnsmasq
+Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode.
+

+ +

+Similarly, to deactive a profile, simply set it to complain mode. +

+# aa-complain usr.sbin.dnsmasq
+Setting /etc/apparmor.d/usr.sbin.dnsmasq to complain mode.
+

+ +

+The current status of your profiles may be viewed using aa-status. +

+# aa-status
+apparmor module is loaded.
+6 profiles are loaded.
+5 profiles are in enforce mode.
+   /bin/ping
+   /sbin/klogd
+   /sbin/syslog-ng
+   /usr/sbin/dnsmasq
+   /usr/sbin/identd
+1 profiles are in complain mode.
+   /usr/sbin/lspci
+1 processes have profiles defined.
+1 processes are in enforce mode.
+   /usr/sbin/dnsmasq (12905)
+0 processes are in complain mode.
+0 processes are unconfined but have a profile defined.
+

+ + +

+ +

+Automatic control + +

+The provided init script will automatically load all profiles located in your profile directory. +Unless specifically specified otherwise, each profile will be loaded in enforce mode. +

+ +

+ + + +