AppArmor is a Linux security module that confines programs by enforcing security policies defined in profiles. It works by restricting programs to only be able to access specific files, directories and system resources as defined in their profiles. Profiles can be generated automatically or manually defined. AppArmor profiles allow specifying what resources a program can access, and it can operate in either complain or enforce mode to log violations or block unauthorized access attempts. Key AppArmor commands are used to generate, load, and manage profiles to confine programs running on the system.
2. What is AppArmor ?
AppArmor is Mandatory Access Control (MAC) like security system for Linux.
AppArmor security policies completely define what system resources
individual applications can access, and with what privileges.
AppArmor secures applications by enforcing good application behavior
without relying on attack signatures, so it can prevent attacks even if
previously unknown vulnerabilities are being exploited.
Unconfined programs are run under standard Linux Discretionary Access
Control (DAC) security. AppArmor augments traditional DAC in that confined
programs are evaluated under traditional DAC first and if DAC allows the
behavior then AppArmor policy consulted.
3. How does AppArmor work ?
In AppArmor, processes are restricted by profiles , these profiles are stored in
the /etc/apparmor.d directory. These profiles are plain-text files that can
contain comments .
In addition to manually creating profiles, AppArmor includes a learning mode,
in which profile violations are logged, but not prevented. This log can then be
used for generating an AppArmor profile, based on the program's typical
behavior.
Profiles can run in “complain mode” or “enforce mode ” that will be described
next .
4. Enforce mode vs. Complain mode
Enforce – In the enforce mode, system begins enforcing the rules and report
the violation attempts in syslog or auditd (only if auditd is installed) and
operation will not be permitted.
Complain – In the complain mode, system doesn’t enforce any rules. It will only
log the violation attempts.
5. Syntax of security profiles for AppArmor* part 1
PROFILE = ( PROFILE HEAD ) [ ATTACHMENT SPECIFICATION ] [ PROFILE FLAG CONDS ] '{' (RULES )* '}'
PROFILE HEAD = [ 'profile' ] FILEGLOB | 'profile' PROFILE NAME
FILEGLOB = ( QUOTED FILEGLOB | UNQUOTED FILEGLOB )
QUOTED FILEGLOB = '"' UNQUOTED FILEGLOB '"'
UNQUOTED FILEGLOB = (must start with '/' (after variable expansion), AARE have special meanings; see below. May
include VARIABLE. Rules with embedded spaces or tabs must be quoted. Rules must end with '/' to apply to
directories.)
PROFILE FLAG CONDS = [ 'flags=' ] '(' comma or white space separated list of PROFILE FLAGS ')'
PROFILE FLAGS = 'complain' | 'audit' | 'enforce' | 'mediate_deleted' |'attach_disconnected' | 'chroot_relative'
VARIABLE = '@{' ALPHA [ ( ALPHANUMERIC | '_' ) ... ] '}'
VARIABLE ASSIGNMENT = VARIABLE ('=' | '+=') (space separated values)
*See https://manpages.ubuntu.com/manpages/xenial/man5/apparmor.d.5.html for full description
6. Syntax of security profiles for AppArmor part 2
FILE RULE = [ QUALIFIERS ] [ 'owner' ] ( 'file' | [ 'file' ] ( FILEGLOB ACCESS | ACCESS FILEGLOB ) [ '->' EXEC TARGET ] )
ACCESS = ( 'r' | 'w' | 'a' | 'l' | 'k' | 'm' | EXEC TRANSITION )+ (not all combinations are allowed)
EXEC TRANSITION =( 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx' | 'Cx' | 'pix' | 'Pix' | 'cix' | 'Cix' | 'pux' | 'PUx' | 'cux' | 'CUx' | 'x'
)
A bare 'x' is only allowed in rules with the deny qualifier, everything else only without the deny qualifier.
r - read , w - write , a - append , deny x - disallow execute
EXEC TARGET = name
Requires EXEC TRANSITION specified
ACCESS TYPE = ( 'allow' | 'deny' )
QUALIFIERS = [ 'audit' ] [ ACCESS TYPE ]
8. What are important commands ?
aa-status _ check the current status
aa-enforce _ set profile to enforce mode (from disable or complain)
aa-complain _ set profile to complain mode (from diable or enforcement)
apparmor_parser _ to load/reload an altered policy
aa-genprof _ generate a new profile
aa-logprof _ used to change the policy when the binary/program is changed
aa-mergeprof _ used to merge the policies