AppArmor is a Linux application sandboxing program that enhances security by enforcing specific access policies for executables, though it is not a proper MAC tool and cannot prevent root privilege escalation. It features a modular and profile-based system, and its utilities can assist in managing permissions and policies. Initially developed in 1998 and included in Ubuntu by default since version 7.10, AppArmor continues to evolve as an open-source project.

1. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
AppArmor
App sandboxing comes standard in Ubuntu Linux

2. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
What is
• it’s not a proper MAC tool
• just meant for app sandboxing
• can’t defend against root privilege escalation
• module of LSM
• apparmor-utils
• init scripts, log parser for learning mode, policy
generator

3. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Development timeline
• 1998 born from WireX as subdomain
• 2005 bought by Novell and renamed as AppArmor
• 2007 Novell stops development
• Ubuntu 7.10 released!
• 2009 Canonical takes over Novell, it reborn
• 2016 still in development as open-source project

4. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Features
• enforce is not default. no policy means unconfined!
• policy split in profiles: one profile per executable
• policy can be modified by hand in text editors
• loads all profiles at startup (both complain and enforce)
• path-based ACL (for loaded profiles)
• notifications to the user via aa-notify

5. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
How it works
• uses LSM
• path-based profiles (save in /etc/apparmor.d)
• each profile manages…
• accessible paths (permissions)
• system capabilities the executable has
• complain mode to log (…and then learn)
• again: enforce is not default. no policy means unconfined!

6. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Out of the box
• Comes preinstalled and
active since Ubuntu 7.10
• By default some profiles
are already in enforcing
mode, others in complain
root@vm1:/home/francesco# aa-status
apparmor module is loaded.
21 profiles are loaded.
21 profiles are in enforce mode.
/sbin/dhclient
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-previewer//sanitized_helper
/usr/bin/evince-thumbnailer
/usr/bin/evince-thumbnailer//sanitized_helper
/usr/bin/evince//sanitized_helper
/usr/bin/ubuntu-core-launcher
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/lightdm/lightdm-guest-session
/usr/lib/lightdm/lightdm-guest-session//chromium
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/usr/sbin/ippusbxd
/usr/sbin/tcpdump
webbrowser-app
webbrowser-app//oxide_helper
0 profiles are in complain mode.
0 processes are unconfined but have a profile
defined.
defaults in
Ubuntu 16.04
after installation

7. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Installation
• sudo apt-get install …
• apparmor, the system itself
• apparmor-utils, managing utilities
• apparmor-profiles, for additional profiles
• (optional) apparmor-notify, to get desktop notification
upon attempted violation
• auditd, not part of but needed for logs

8. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Usage
• aa-status to see what’s active, what’s not
• aa-genprof to scaffold a (empty) policy
• aa-logprof to generate policy out of log (learning mode)
• (e.g.) aa-logprof -f /var/log/audit/audit.log
• aa-complain to log without denying (aa-complain /etc/apparmor.d/profile.name)
• aa-enforce to make the policy effective (aa-enforce /etc/apparmor.d/profile.name)
• apparmor_parser -R /etc/apparmor.d/profile.name to ignore a profile
• apparmor_parser -r /etc/apparmor.d/profile.name to un-ignore a profile

9. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Policy example (for vsftpd)
#include <tunables/global>
/usr/sbin/vsftpd {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/authentication>
/dev/urandom r,
/etc/fstab r,
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/mtab r,
/etc/shells r,
/etc/vsftpd.* r,
/etc/vsftpd/* r,
/usr/sbin/vsftpd rmix,
/var/log/vsftpd.log w,
/var/log/xferlog w,
# anon chroots
/ r,
/pub r,
/pub/** r,
@{HOMEDIRS} r,
@{HOME}/** rwl,
}
wildcards
path and relative permissions
including rules in other
pre-defined files

10. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Permissions
• r read
• w write
• ux unconfined execute
• Ux unconfined execute - scrub environment
• px discrete profile execute
• Px discrete profile execute - scrub environment
• i ineherit execute
• m allow PROT_EXEC with mmap calls
• l link

11. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
The good
• friendly management tools
• policies easy to maintain
• using audit.log and aa-logprof
• integrates with audit
• decent logs
• integrates with Ubuntu system notifications

12. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
The bad
• basic enforcing (e.g. can’t limit access to range of tcp ports)
• useless against root privilege escalation (can be disabled or removed!)
• no memory protection
• bugged utilities (learning mode often not working)

13. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Resources
• Official wiki (wiki.apparmor.net/)
• Ubuntu wiki (wiki.ubuntu.com/AppArmor/)
• Debian wiki (https://wiki.debian.org/AppArmor/HowToUse)
• Arch Linux wiki (https://wiki.archlinux.org/index.php/AppArmor)
• irc.oftc.net #apparmor
• Mailing list (https://lists.ubuntu.com/mailman/listinfo/apparmor)

14. AppArmor | Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Questions?
Thank you!