From 820f2d3638c8c67a6a9407174acf886ad13832ec Mon Sep 17 00:00:00 2001
From: Michael Palimaka
+AppArmor is a Linux Security Module implementation, working around the concept of adding rules to file paths.
+
+For each file path you specify, AppArmor will permit it only the permissions you grant.
+
+From Linux 3.4, improved AppArmor support has been merged into the kernel. For the best experience, however,
+it is recommended to patch your kernel with additional support. Without patching, it will only be possible to activate
+profiles - deactivation, listing, init script etc. will not work.
+
+The required patches are included in the AppArmor tarball. If you are using a grsec enabled kernel, such as
+The AppArmor userspace utilities currently live in the
+
+# ------------------------------------------------------------------
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/sbin/klogd {
+ #include <abstractions/base>
+
+ capability sys_admin, # for backward compatibility with kernel <= 2.6.37
+ capability syslog,
+
+ network inet stream,
+
+ /boot/System.map* r,
+ @{PROC}/kmsg r,
+ @{PROC}/kallsyms r,
+ /dev/tty rw,
+
+ /sbin/klogd rmix,
+ /var/log/boot.msg rwl,
+ /{,var/}run/klogd.pid krwl,
+ /{,var/}run/klogd/klogd.pid krwl,
+ /{,var/}run/klogd/kmsg r,
+}
+
+
+
+# layman -a hardened-dev
+# emerge apparmor-utils
+
+
+
+You may wish to edit the configuation files located in
+Profiles are stored as simple text files in
+/etc/apparmor.d $ ls +abstractions program-chunks usr.lib.apache2.mpm-prefork.apache2 usr.lib.dovecot.managesieve-login usr.sbin.dovecot usr.sbin.nscd +apache2.d sbin.klogd usr.lib.dovecot.deliver usr.lib.dovecot.pop3 usr.sbin.identd usr.sbin.ntpd +bin.ping sbin.syslog-ng usr.lib.dovecot.dovecot-auth usr.lib.dovecot.pop3-login usr.sbin.lspci usr.sbin.smbd +disable sbin.syslogd usr.lib.dovecot.imap usr.sbin.avahi-daemon usr.sbin.mdnsd usr.sbin.smbldap-useradd +local tunables usr.lib.dovecot.imap-login usr.sbin.dnsmasq usr.sbin.nmbd usr.sbin.traceroute ++ +
+Profiles are referred to by name, including any parent subdirectories if present. +
+ ++To activate a profile, simply set it to enforce mode. +
+# aa-enforce usr.sbin.dnsmasq +Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode. ++ + +
+Similarly, to deactive a profile, simply set it to complain mode. +
+# aa-complain usr.sbin.dnsmasq +Setting /etc/apparmor.d/usr.sbin.dnsmasq to complain mode. ++ + +
+The current status of your profiles may be viewed using
+# aa-status +apparmor module is loaded. +6 profiles are loaded. +5 profiles are in enforce mode. + /bin/ping + /sbin/klogd + /sbin/syslog-ng + /usr/sbin/dnsmasq + /usr/sbin/identd +1 profiles are in complain mode. + /usr/sbin/lspci +1 processes have profiles defined. +1 processes are in enforce mode. + /usr/sbin/dnsmasq (12905) +0 processes are in complain mode. +0 processes are unconfined but have a profile defined. ++ + + +
+The provided init script will automatically load all profiles located in your profile directory. +Unless specifically specified otherwise, each profile will be loaded in enforce mode. +
+ +