cloudnative wiki

apparmor

4 min read

AppArmor

Absolutely! Let’s dive into the details of AppArmor.

What is AppArmor?

AppArmor is a security module built into the Linux kernel that provides Mandatory Access Control (MAC). In simpler terms, it allows you to restrict what actions a program can perform on your system. It acts as a “sandbox” for applications, preventing them from accessing resources or performing actions they shouldn’t.

How Does It Work?

  • Profiles: The core of AppArmor is its profiles. Each profile is a set of rules that define what a specific program can and cannot do. These rules cover things like:
    • File access: Which files a program can read, write, or execute.
    • Network access: Whether a program can connect to the network and which ports it can use.
    • Capabilities: Special permissions that a program might need, like accessing raw network sockets or binding to privileged ports.
  • Enforcement: Once a profile is loaded, AppArmor enforces its rules whenever the corresponding program runs. It intercepts system calls made by the program and checks them against the profile. If an action is allowed, it proceeds; otherwise, it’s denied.

Why Use AppArmor?

  • Enhanced Security: AppArmor provides an additional layer of security beyond traditional Unix permissions. Even if a program has a vulnerability, AppArmor can limit the damage it can cause.
  • Proactive Protection: AppArmor profiles are designed to be restrictive by default, preventing unauthorized actions even if you’re not aware of specific threats.
  • Ease of Use: AppArmor is relatively easy to configure and use compared to other MAC systems. It comes with pre-made profiles for many common applications, and you can create custom profiles if needed.
  • Integrated with Ubuntu: AppArmor is installed and enabled by default on Ubuntu, making it readily available for use.

How to Use AppArmor:

  1. Check Status: Verify if AppArmor is running: sudo aa-status
  2. View Profiles: List available profiles: sudo ls /etc/apparmor.d/
  3. Edit Profiles: Modify profiles (with caution!) using a text editor.
  4. Reload Profiles: After making changes, reload them: sudo systemctl restart apparmor
  5. Check Logs: Look for AppArmor denials in the system logs: /var/log/syslog

Example Profile (Simplified):

# Profile for /usr/bin/firefox
/usr/bin/firefox {
  # Allow access to user's home directory
  /home/* r,
  # Deny write access to system directories
  /etc/* w,
  /usr/* w,
  # Allow network access
  network,
}

Important Considerations:

  • Don’t Be Overly Restrictive: While AppArmor enhances security, overly restrictive profiles can break applications. Start with existing profiles and gradually refine them.
  • Monitor Logs: Regularly check AppArmor logs for denials. They might indicate legitimate needs that you need to accommodate in your profiles.

Profiles and How to create one

1. Exploring Existing AppArmor Profiles:

  • List Available Profiles:

    Bash

    sudo ls /etc/apparmor.d/

    This command will display a list of all available AppArmor profiles on your server. Each file in this directory represents a profile for a specific application or service.

  • View Profile Contents:

    Bash

    sudo cat /etc/apparmor.d/<profile_name>

    Replace <profile_name> with the name of the profile you want to examine. This command will show you the rules defining the allowed and denied actions for that particular program.

  • Check Profile Status:

    Bash

    sudo apparmor_status

    This command provides an overview of all loaded profiles, their status (enforced, complain mode), and the processes they’re attached to.

2. Creating a New AppArmor Profile:

There are two main ways to create a new profile:

  • Using aa-genprof (Recommended):

    1. Enter Complain Mode:Bash

      sudo aa-complain /path/to/executable

      This puts the program into “complain mode,” where AppArmor logs violations but doesn’t enforce them.

    2. Run the Program: Use the program normally, performing the actions you want to allow.

    3. Generate Profile:Bash

      sudo aa-logprof

      This analyzes the logs and interactively creates a profile based on the observed behavior.

  • Manual Creation:

    1. Create a new file in /etc/apparmor.d/ with a descriptive name (e.g., usr.bin.myapp).

    2. Write the profile using the AppArmor syntax (explained below).

    3. Load the profile:Bash

      sudo apparmor_parser -r /etc/apparmor.d/usr.bin.myapp

AppArmor Profile Syntax:

# Profile for /path/to/executable
/path/to/executable {
  # Include common rulesets (optional)
  #include <abstractions/base>

  # Capability rules (e.g., allow network access)
  capability net_bind_service,

  # File path permissions
  /path/to/allowed/directory/* r,
  /path/to/allowed/file rw,
  /path/to/denied/directory/* ix,

  # Network rules
  network inet tcp,
  
  # Deny specific actions (optional)
  deny @{HOME}/private/* rw,
}

Key Syntax Elements:

  • Includes: Include common rulesets to avoid repetition.
  • Capabilities: Grant or deny specific capabilities.
  • File Paths: Define read (r), write (w), execute (x), or inherit (ix) permissions for files and directories. Wildcards (*) can be used.
  • Network: Specify allowed network protocols and types.
  • Deny Rules: Explicitly deny specific actions not covered by other rules.

Additional Tips:

  • Start with a broad profile in complain mode and gradually refine it as you observe the program’s behavior.
  • Use comments (#) to explain your rules and make the profile easier to understand.
  • Refer to the official AppArmor documentation for a complete list of rules and syntax details: https://ubuntu.com/server/docs/apparmor

Graph View

Backlinks