Never Ending Security

It starts all here

How To Setup and Configure Apparmor on Linux

How to: Ubuntu Apparmor

AppArmor is a Mandatory Access Control (MAC) system which is a kernel (LSM) enhancement to confine programs to a limited set of resources. AppArmor’s security model is to bind access control attributes to programs rather than to users. AppArmor confinement is provided via profiles loaded into the kernel, typically on boot. AppArmor profiles can be in one of two modes: enforcement and complain. Profiles loaded in enforcement mode will result in enforcement of the policy defined in the profile as well as reporting policy violation attempts (either via syslog or auditd). Profiles in complain mode will not enforce policy but instead report policy violation attempts.

In Ubuntu, AppArmor is installed and enabled by default.


AppArmor operates in the following two types of profile modes:

  1. Enforce – In the enforce mode, system begins enforcing the rules and report the violation attempts in syslog or auditd (only if auditd is installed) and operation will not be permitted.
  2. Complain – In the complain mode, system doesn’t enforce any rules. It will only log the violation attempts.

Additional profiles can be found in apparmor-profiles package.

Install

Install AppArmor userspace tools and some contributed profiles:

$ sudo apt-get install apparmor apparmor-profiles apparmor-utils

View Apparmor Status

You can view the current status of apparmor and all the profiles loaded as shown below:

$ sudo apparmor_status
apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode.
   /sbin/dhclient
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/mysqld
   /usr/sbin/tcpdump
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode.
   /sbin/dhclient (585)
   /usr/sbin/mysqld (799)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Change Profile Mode

Use aa-complain command to set a profile in complain mode. For example, do the following to enable complain mode for mysqld.

$ sudo aa-complain /usr/sbin/mysqld
Setting /usr/sbin/mysqld to complain mode.

Now when you execute the apparmor_status, you’ll see the mysqld in complain mode.

$ sudo apparmor_status
apparmor module is loaded.
5 profiles are loaded.
4 profiles are in enforce mode.
   /sbin/dhclient
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/tcpdump
1 profiles are in complain mode.
   /usr/sbin/mysqld
2 processes have profiles defined.
1 processes are in enforce mode.
   /sbin/dhclient (585)
1 processes are in complain mode.
   /usr/sbin/mysqld (799)
0 processes are unconfined but have a profile defined.

You can change the profile back to enforce mode using aa-enforce command as shown below.

$ sudo aa-enforce /usr/sbin/mysqld
Setting /usr/sbin/mysqld to enforce mode.

AppArmor Profile Files

AppArmor profiles are text files located under /etc/apparmor.d/ directory.

The files are named after the full path to the executable they profile, but replacing the “/” with “.”.

For example, ping command is located in /bin/ping. The equivalent AppArmor profile file will be named as bin.ping

The following is the Apparmor profile file for usr.sbin.mysqld. /usr/sbin/mysqld is absolute path of the binary where this profile gets applied.

# cat usr.sbin.mysqld
# vim:syntax=apparmor
# Last Modified: Tue Jun 19 17:37:30 2014
#include <tunables/global>
/usr/sbin/mysqld {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>
  #include <abstractions/mysql>
  #include <abstractions/winbind>
  capability dac_override,
  capability sys_resource,
  capability setgid,
  capability setuid,
  network tcp,
  /etc/hosts.allow r,
  /etc/hosts.deny r,
  /etc/mysql/*.pem r,
  /etc/mysql/conf.d/ r,
  /etc/mysql/conf.d/* r,
  /etc/mysql/*.cnf r,
  /usr/lib/mysql/plugin/ r,
  /usr/lib/mysql/plugin/*.so* mr,
  /usr/sbin/mysqld mr,
  /usr/share/mysql/** r,
  /var/log/mysql.log rw,
  /var/log/mysql.err rw,
  /var/lib/mysql/ r,
  /var/lib/mysql/** rwk,
  /var/log/mysql/ r,
  /var/log/mysql/* rw,
  /var/run/mysqld/mysqld.pid rw,
  /var/run/mysqld/mysqld.sock w,
  /run/mysqld/mysqld.pid rw,
  /run/mysqld/mysqld.sock w,
  /sys/devices/system/cpu/ r,
  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.mysqld>
}

In a profile file, comments always proceed with # sign. #include lines loads the file.

The following are the different types of rules that are used in profiles.

  1. Path entries: This has information on which files the application is allowed to access.
  2. Capability entries: determines the privileges a confined process is allowed to use.
  3. Network entries: determines the connection-type. For example: tcp. For a packet-analyzer network can be raw or packet etc.

Within the curly braces {} we have other include statements and also includes access permissions/modes [read(r)/write (w)/execute (x) (k) lock (requires r or w, AppArmor 2.1 and later)] to various files and directories, which includes regex globbing the include statements with in curly braces {} help to load components of Novell AppArmor profiles.

Disable AppArmor

If some process are working as expected, and if you like to debug whether apparmor profiles are the reason for that, you might want to temporarily disable apparmor for debugging.

# /etc/init.d/apparmor stop
 * Clearing AppArmor profiles cache  [OK]

Executing the above command will only clear the profiles cache. In order to unload the profile run the following command.

# /etc/init.d/apparmor teardown
 * Unloading AppArmor profiles [OK]

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s