AppArmor is a Linux security module that confines programs by enforcing security policies defined in profiles. It works by restricting programs to only be able to access specific files, directories and system resources as defined in their profiles. Profiles can be generated automatically or manually defined. AppArmor profiles allow specifying what resources a program can access, and it can operate in either complain or enforce mode to log violations or block unauthorized access attempts. Key AppArmor commands are used to generate, load, and manage profiles to confine programs running on the system.

1. An overview on AppArmor
‫ارائه‬
‫کالسی‬
‫درس‬
‫امنیت‬
‫پایگاه‬
‫داده‬
‫دانشگاه‬
‫صنعتی‬
‫شریف‬
: ‫ارائه‬
‫دهندگان‬
‫ابوالفضل‬
‫فرهادی‬ - ‫امیرحسین‬
‫آشناور‬
: ‫استاد‬
‫درس‬
‫دکتر‬
‫صادق‬
‫دری‬
‫نوگورانی‬
‫نیمسال‬1401-1400

2. What is AppArmor ?
AppArmor is Mandatory Access Control (MAC) like security system for Linux.
AppArmor security policies completely define what system resources
individual applications can access, and with what privileges.
AppArmor secures applications by enforcing good application behavior
without relying on attack signatures, so it can prevent attacks even if
previously unknown vulnerabilities are being exploited.
Unconfined programs are run under standard Linux Discretionary Access
Control (DAC) security. AppArmor augments traditional DAC in that confined
programs are evaluated under traditional DAC first and if DAC allows the
behavior then AppArmor policy consulted.

3. How does AppArmor work ?
In AppArmor, processes are restricted by profiles , these profiles are stored in
the /etc/apparmor.d directory. These profiles are plain-text files that can
contain comments .
In addition to manually creating profiles, AppArmor includes a learning mode,
in which profile violations are logged, but not prevented. This log can then be
used for generating an AppArmor profile, based on the program's typical
behavior.
Profiles can run in “complain mode” or “enforce mode ” that will be described
next .

4. Enforce mode vs. Complain mode
Enforce – In the enforce mode, system begins enforcing the rules and report
the violation attempts in syslog or auditd (only if auditd is installed) and
operation will not be permitted.
Complain – In the complain mode, system doesn’t enforce any rules. It will only
log the violation attempts.

5. Syntax of security profiles for AppArmor* part 1
PROFILE = ( PROFILE HEAD ) [ ATTACHMENT SPECIFICATION ] [ PROFILE FLAG CONDS ] '{' (RULES )* '}'
PROFILE HEAD = [ 'profile' ] FILEGLOB | 'profile' PROFILE NAME
FILEGLOB = ( QUOTED FILEGLOB | UNQUOTED FILEGLOB )
QUOTED FILEGLOB = '"' UNQUOTED FILEGLOB '"'
UNQUOTED FILEGLOB = (must start with '/' (after variable expansion), AARE have special meanings; see below. May
include VARIABLE. Rules with embedded spaces or tabs must be quoted. Rules must end with '/' to apply to
directories.)
PROFILE FLAG CONDS = [ 'flags=' ] '(' comma or white space separated list of PROFILE FLAGS ')'
PROFILE FLAGS = 'complain' | 'audit' | 'enforce' | 'mediate_deleted' |'attach_disconnected' | 'chroot_relative'
VARIABLE = '@{' ALPHA [ ( ALPHANUMERIC | '_' ) ... ] '}'
VARIABLE ASSIGNMENT = VARIABLE ('=' | '+=') (space separated values)
*See https://manpages.ubuntu.com/manpages/xenial/man5/apparmor.d.5.html for full description

6. Syntax of security profiles for AppArmor part 2
FILE RULE = [ QUALIFIERS ] [ 'owner' ] ( 'file' | [ 'file' ] ( FILEGLOB ACCESS | ACCESS FILEGLOB ) [ '->' EXEC TARGET ] )
ACCESS = ( 'r' | 'w' | 'a' | 'l' | 'k' | 'm' | EXEC TRANSITION )+ (not all combinations are allowed)
EXEC TRANSITION =( 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx' | 'Cx' | 'pix' | 'Pix' | 'cix' | 'Cix' | 'pux' | 'PUx' | 'cux' | 'CUx' | 'x'
)
A bare 'x' is only allowed in rules with the deny qualifier, everything else only without the deny qualifier.
r - read , w - write , a - append , deny x - disallow execute
EXEC TARGET = name
Requires EXEC TRANSITION specified
ACCESS TYPE = ( 'allow' | 'deny' )
QUALIFIERS = [ 'audit' ] [ ACCESS TYPE ]

7. Syntax of security profiles for AppArmor part 3
CAPABILITY RULE = [ QUALIFIERS ] 'capability' [ CAPABILITY LIST ]
CAPABILITY LIST = ( CAPABILITY )+
CAPABILITY = (lowercase capability name without 'CAP_' prefix; see capabilities )
NETWORK RULE = [ QUALIFIERS ] 'network' [ DOMAIN ] [ TYPE | PROTOCOL ]
DOMAIN = ( 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' |
'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'packet' | 'ash' |
'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'bluetooth' | 'netlink' |
'unix' | 'rds' | 'llc' | 'can' | 'tipc' | 'iucv' | 'rxrpc' | 'isdn' | 'phonet' |
'ieee802154' | 'caif' | 'alg' | 'nfc' | 'vsock' | 'mpls' | 'ib' ) ','
TYPE = ( 'stream' | 'dgram' | 'seqpacket' | 'rdm' | 'raw' | 'packet' )
PROTOCOL = ( 'tcp' | 'udp' | 'icmp' )

8. What are important commands ?
aa-status _ check the current status
aa-enforce _ set profile to enforce mode (from disable or complain)
aa-complain _ set profile to complain mode (from diable or enforcement)
apparmor_parser _ to load/reload an altered policy
aa-genprof _ generate a new profile
aa-logprof _ used to change the policy when the binary/program is changed
aa-mergeprof _ used to merge the policies

9. Now let’s put it in practice …

10. aa-status

11. Use apt install apparmor-utils to make AppArmor commands available

12. aa-genprof <executable> for profile generation

13. Default profile

14. Sample application for testing AppArmor features , it fails to read from
file with default profile

15. File read access added

16. Use apparmor_parser to update or add profile

17. Now application can read file normally

18. Application fails to execute another app

19. Appropriate rule added

20. Now it can execute another app

21. Test app that can set fileToRead file owner to current user

22. New rule added , now Application can execute test app , ix shows that
test will be executed with its parent profile

23. Even with root privilege test could NOT change file’s owner , because
chroot capability was not defined in profile .

24. Stop AppArmor as a service

25. Start AppArmor as a service

26. ping.py script for pinging google.com

27. ping.py

28. Making ping.py executable

29. Testing ping executable

30. aa-genprof ping

31. Now it fails due to default profile …

32. aa-status shows ping profile is added .

33. Syslog after failed execution

34. ping updated profile

35. Changing ping profile mode to complain mode

36. Now ping is executed in complain mode

37. Syslog for complain mode execution

38. Syslog for complain mode execution

39. Reference:
• https://gitlab.com/apparmor/apparmor/-/wikis/Documentation
• https://wiki.ubuntu.com/AppArmor
• https://manpages.ubuntu.com/manpages/xenial/man5/apparm
or.d.5.html
• https://en.wikipedia.org/wiki/AppArmor

40. Thank you for your attention !