Difference between revisions of "AppArmor"

From ArchWiki
Jump to: navigation, search
m (Bot: Removing from Category:HOWTOs (English))
(introspection patch is not needed for Linux 3.12)
(44 intermediate revisions by 17 users not shown)
Line 1: Line 1:
[[Category:Security (English)]]
+
[[Category:Security]]
[[Category:Kernel (English)]]
+
[[Category:Kernel]]
[[Category:Networking (English)]]
+
{{Out of date}}
[[Wikipedia:AppArmor|AppArmor]] is a MAC (Mandatory Access Control) system, implemented upon LSM (Linux Security Modules).
+
 
 +
[[Wikipedia:AppArmor|AppArmor]] is a [[Wikipedia:Mandatory_access_control|Mandatory Access Control]] (MAC) system, implemented upon the [[Wikipedia:Linux_Security_Modules|Linux Security Modules]] (LSM).
 +
 
 +
== Preventing circumvention of path-based MAC via links ==
 +
 
 +
AppArmor can be circumvented via hardlinks in the standard POSIX security model. However, the kernel now includes the ability to prevent this vulnerability, without needing the patches distributions like Ubuntu have applied to their kernels as workarounds.
 +
 
 +
See [[Sysctl#Preventing_link_TOCTOU_vulnerabilities]] for details.
  
 
== Implementation Status ==
 
== Implementation Status ==
AppArmor is currently available in Arch Linux kernel and [[AUR]], but we still don't have the user-space tools tested:
+
AppArmor is currently available in the [https://bugs.archlinux.org/task/21406 Arch Linux kernel], but it has to be activated on kernel boot.
* http://aur.archlinux.org/packages.php?ID=42279
+
 
* https://bugs.archlinux.org/task/21406
+
Userspace support requires the [[AUR]] package [https://aur.archlinux.org/packages.php?ID=42279 apparmor].
  
It will take some time to make everything work Out-of-the-box.
+
Not all the packages work out-of-the-box, but it is a work in progress. If you know how to build profiles yourself you shouldn't have too many problems.
 +
Also there is an [https://aur.archlinux.org/packages.php?ID=60269 AUR kernel]
 +
which includes apparmor specific patches from Ubuntu's [https://launchpad.net/apparmor launchpad].  
  
=== aur/apparmor package ===
+
=== AUR/apparmor package ===
 
Added lot of features:
 
Added lot of features:
 
* apparmor-parser
 
* apparmor-parser
Line 26: Line 35:
  
 
But we still miss following features (TODO):
 
But we still miss following features (TODO):
* init (rc.d) scripts! http://aur.pastebin.com/beQ4BjGX
+
* A systemd .service for every important daemon in AppArmor
 
* chase missing dependencies
 
* chase missing dependencies
 
* test everything
 
* test everything
Line 34: Line 43:
 
** make some package with profiles for all [core] packages enabled by default without need for any further user configuration
 
** make some package with profiles for all [core] packages enabled by default without need for any further user configuration
 
** etc...
 
** etc...
* apparmor gnome applet (can't build, deprecated...)
+
* apparmor gnome applet (can't build, deprecated..., find a working Replacement)
 
+
==== When compared to Ubuntu ====
+
we have almost everything that is in following Ubuntu packages:
+
* apparmor
+
* apparmor-profiles
+
* apparmor-utils
+
* apparmor-notify
+
* apparmor-docs
+
* libapparmor1
+
* libapparmor-dev
+
* libapparmor-perl
+
 
+
We don't have
+
* /etc/init.d/apparmor http://aur.pastebin.com/beQ4BjGX
+
* packages: libapache2-mod-apparmor libpam-apparmor
+
* KNOW-HOW
+
  
 
== Links ==
 
== Links ==
 
* Official pages
 
* Official pages
** kernel: https://apparmor.wiki.kernel.org/
+
** Kernel: https://apparmor.wiki.kernel.org/ http://wiki.apparmor.net/
** userspace: https://launchpad.net/apparmor
+
** Userspace: https://launchpad.net/apparmor
  
* http://ubuntuforums.org/showthread.php?t=1008906 (Very good tutorial on HOWTO make profiles and configure AppArmor)
+
* http://www.kernel.org/pub/linux/security/apparmor/AppArmor-2.6/
 +
* http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference
 +
 
 +
* http://ubuntuforums.org/showthread.php?t=1008906 (Tutorial)
 
* https://help.ubuntu.com/community/AppArmor
 
* https://help.ubuntu.com/community/AppArmor
* https://bugs.archlinux.org/task/21406
+
*{{Bug|21406}}
 
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt  
 
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt  
* https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces
+
* http://wiki.apparmor.net/index.php/Kernel_interfaces
* https://apparmor.wiki.kernel.org/index.php/AppArmor_versions
+
* http://wiki.apparmor.net/index.php/AppArmor_versions
* http://manpages.ubuntu.com/manpages/maverick/man5/apparmor.d.5.html
+
* http://manpages.ubuntu.com/manpages/oneiric/man5/apparmor.d.5.html
* http://manpages.ubuntu.com/manpages/maverick/man8/apparmor_parser.8.html
+
* http://manpages.ubuntu.com/manpages/oneiric/man8/apparmor_parser.8.html
* https://apparmor.wiki.kernel.org/index.php/Distro_CentOS
+
* http://wiki.apparmor.net/index.php/Distro_CentOS
 
* http://bodhizazen.net/aa-profiles/
 
* http://bodhizazen.net/aa-profiles/
 
* https://wiki.ubuntu.com/ApparmorProfileMigration
 
* https://wiki.ubuntu.com/ApparmorProfileMigration
* http://en.wikipedia.org/wiki/Linux_Security_Modules
+
* [[wikipedia:Linux_Security_Modules]]
* https://apparmor.wiki.kernel.org/index.php/Gittutorial
+
* http://wiki.apparmor.net/index.php/Gittutorial
* http://kernel.org/pub/linux/security/apparmor/apparmor-2.6.36-patches.tgz
+
  
 
== AppArmor Packages ==
 
== AppArmor Packages ==
* kernel26  >= 2.6.36 have AppArmor support
+
* Arch's {{Pkg|linux}} package has AppArmor support
* aur/[http://aur.archlinux.org/packages.php?ID=42279 apparmor]
+
* aur/[https://aur.archlinux.org/packages.php?ID=42279 apparmor]
  
 
== Kernel Configuration ==
 
== Kernel Configuration ==
Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you don't need to touch it):
+
Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you do not need to touch it):
 
   CONFIG_SECURITY_APPARMOR=y
 
   CONFIG_SECURITY_APPARMOR=y
 
   CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0
 
   CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0
 
   # CONFIG_DEFAULT_SECURITY_APPARMOR is not set
 
   # CONFIG_DEFAULT_SECURITY_APPARMOR is not set
  
However, integration of AppArmor into the 2.6.36 kernel is not quite complete. It is missing network mediation and some of the interfaces for introspection. See [https://apparmor.wiki.kernel.org/index.php/Apparmor/upstream_release_notes here] for details. There are compatibility patches that can be applied on top of the 2.6.36 kernel to reintroduce these interfaces, but do not currently build against the Arch Linux kernel.
+
However, integration of AppArmor into the kernel is not quite complete. It is missing network mediation. See [https://apparmor.wiki.kernel.org/index.php/Apparmor/upstream_release_notes here] for details. There are compatibility patches provided with the AppArmor tarball that can be applied to every recent kernel to reintroduce these interfaces. The patchset is pretty small and should be applied if you decide to use AppArmor. A suitably patched kernel is provided by the AUR package {{AUR|linux-apparmor}}. Historic note: as of Linux 3.12, the profile introspection patch is not needed anymore.
  
== GRUB Configuration ==
+
== Bootloader Configuration ==
=== GRUB1 ===
+
=== Enable ===
To test profiles, or enforce the use of AppArmor it must be enabled at boot time. To do this add apparmor=1 security=apparmor to the kernel boot parameters in /boot/grub/menu.lst so the entry for the Arch Linux kernel looks something like
+
To test profiles, or enforce the use of AppArmor it must be enabled at boot time. To do this add {{ic|1=apparmor=1 security=apparmor}} to the [[kernel parameters|kernel boot parameters]].  
  
# (0) Arch Linux
+
After reboot you can test if AppArmor is really enabled using this command as root:
title  Arch Linux [/boot/vmlinuz26]
+
root  (hd0,1)
+
kernel /boot/vmlinuz26 root=/dev/sdaX resume=/dev/sdaY ro '''apparmor=1 security=apparmor'''
+
initrd /boot/kernel26.img
+
 
+
Once you are happy with all your profiles, you may wish to force users to boot with AppArmor enabled. To do this add a password entry to the start of /boot/grub/menu.lst. This will prevent users editing any boot entries or using the Grub shell (which permits read access to any file on the system such as /etc/shadow) before booting. You can also password protect any insecure entries in /boot/grub/menu.lst that you do not want unauthorized users to boot by adding the lock command (or another password) immediately below the title line for that entry. See [[Grub#Password_protection]] or [http://www.gnu.org/software/grub/manual/legacy/Security.html#Security Security in the Grub Manual] for more details. If you are going to the trouble of securing Grub don't forget to secure your BIOS settings as well or users will be able to boot from their own CDs and USB sticks, gaining root access to the machine.
+
 
+
=== GRUB2 ===
+
 
+
==== Enable ====
+
Note that you can safely enable apparmor and '''it will not affect the system''' at all until you will enable it, load profiles and set them to enforce mode by userspace tools. So you don't have to be afraid to enable AA for testing purposes until you are enforcing AA profiles from init scripts (on each startup).
+
 
+
  # (0) Arch Linux
+
  menuentry "Arch Linux" {
+
    set root=(hd0,1)
+
    linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=1 security=apparmor'''
+
    initrd /kernel26.img
+
  }
+
 
+
After reboot you can test if apparmor is really enabled using this command as root:
+
 
   # cat /sys/module/apparmor/parameters/enabled  
 
   # cat /sys/module/apparmor/parameters/enabled  
 
   Y
 
   Y
 
(Y=enabled, N=disabled, no such file = module not in kernel)
 
(Y=enabled, N=disabled, no such file = module not in kernel)
  
==== Disable ====
+
=== Disable ===
AppArmor will be disabled by default in ArchLinux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default.
+
AppArmor will be disabled by default in Arch Linux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default. If so, Add {{ic|1=apparmor=0 security=""}} to [[kernel parameters|kernel boot parameters]].
  # (0) Arch Linux
+
  menuentry "Arch Linux" {
+
    set root=(hd0,1)
+
    linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=0 security=""'''
+
    initrd /kernel26.img
+
  }
+
  
 
== System Configuration ==
 
== System Configuration ==
 
=== Mounts (/etc/fstab securityfs) ===
 
=== Mounts (/etc/fstab securityfs) ===
https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces
+
http://wiki.apparmor.net/index.php/Kernel_interfaces
 
   none    /sys/kernel/security securityfs defaults            0      0
 
   none    /sys/kernel/security securityfs defaults            0      0
 
+
=== Systemd support ===
=== Init scripts ===
+
The AUR package {{AUR|apparmor}} includes a systemd service file that loads all AppArmor profiles in {{ic|/etc/apparmor.d/}}. To enable it to run on boot, use:
In future we'll implement some /etc/rc.d/ scripts that will enable and load profiles during startup.
+
{{bc|# systemctl enable apparmor}}
http://aur.pastebin.com/beQ4BjGX
+
The RC.d file of Slackware might be more interesting than ubuntu's init.d version
+
http://sprunge.us/IbeJ
+
 
+
==== For developers ====
+
 
+
from /lib/apparmor/rc.apparmor.functions
+
 
+
  # NOTE: rc.apparmor initscripts that source this file need to implement
+
  # the following set of functions:
+
  # aa_action
+
  # aa_log_action_start
+
  # aa_log_action_end
+
  # aa_log_success_msg
+
  # aa_log_warning_msg
+
  # aa_log_failure_msg
+
  # aa_log_skipped_msg
+
  # aa_log_daemon_msg
+
  # aa_log_end_msg
+
  
 
== UserSpace Tools ==
 
== UserSpace Tools ==
Line 154: Line 104:
  
 
=== Maintainers ===
 
=== Maintainers ===
You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: https://apparmor.wiki.kernel.org/index.php/AppArmor_versions
+
You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: http://wiki.apparmor.net/index.php/AppArmor_versions
eg.: Kernel 2.6.36 is compatible with AppArmor 2.5.1
+
e.g.: Kernel 2.6.36 is compatible with AppArmor 2.5.1
  
 
== More Info ==
 
== More Info ==
Ubuntu, Suse and a number of other Linux distributions use it. Redhat uses SELINUX which is apparently a little bit more difficult to configure properly.
+
AppArmor, like most other LSMs, supplements rather than replaces the default Discretionary access control. As such it's impossible to grant a process more privileges than it had in the first place.  
 
+
It suplements, rather than replaces the standard POSIX access control system.
+
 
+
What you can do with it is very easily create profiles for applications which either acccess the Internet or listen via IP (e.g servers).
+
 
+
One may specify at quite a fine grained level what applications may or may not do.
+
 
+
Taking a common example - Firefox is frequently the victim of Zero day exploits. If you were to browse to a website that ran a buffer overflow or such thing against your browser - all data accessible to Firefox would then belong to the attackers, think SSH keys, password stores etc etc.
+
  
Likewise Wireshark (tcpdump) has had decoder modules with buffer overflows before, imagine the scenario - you suspect a server has been compromised, run a packet capture on the network, and then your own machine is compromised (tcpdump must run as root).
+
Ubuntu, SUSE and a number of other distributions use it by default. RHEL (and it's variants) use SELinux which requires good userspace integration to work properly. People tend to agree that it is also much much harder to configure correctly.  
  
For both these applications, apparmor profiles exist. The configuration is stored in easy to read text files in /etc/apparmor.d/<application name>.
+
Taking a common example - A new Flash vulnerability: If you were to browse to a malicious website AppArmor can prevent the exploited plugin from accessing anything that may contain private information. In almost all browsers, plugins run out of process which makes isolating them much easier.
  
You can lock down your applications using wildcards, specifying for example that Firefox can only read the ~/Downloads folder and it's own profile directory, that it cannot create shell processes etc.
+
AppArmor profiles (usually) get stored in easy to read text files in {{ic|/etc/apparmor.d}}
  
Every breach of policy triggers a message in the syslog, many distributions also integrate it into DBUS so that you get realtime violation warnings popping up on your desktop.
+
Every breach of policy triggers a message in the system log, and many distributions also integrate it into DBUS so that you get real-time violation warnings popping up on your desktop.
  
 
== See also ==
 
== See also ==
 
* [[TOMOYO Linux]]
 
* [[TOMOYO Linux]]
 
* [[SELinux]]
 
* [[SELinux]]
* [[DNSSEC]]
 

Revision as of 10:44, 7 October 2013

Tango-view-refresh-red.pngThis article or section is out of date.Tango-view-refresh-red.png

Reason: please use the first argument of the template to provide a brief explanation. (Discuss in Talk:AppArmor#)
AppArmor is a Mandatory Access Control (MAC) system, implemented upon the Linux Security Modules (LSM).

Preventing circumvention of path-based MAC via links

AppArmor can be circumvented via hardlinks in the standard POSIX security model. However, the kernel now includes the ability to prevent this vulnerability, without needing the patches distributions like Ubuntu have applied to their kernels as workarounds.

See Sysctl#Preventing_link_TOCTOU_vulnerabilities for details.

Implementation Status

AppArmor is currently available in the Arch Linux kernel, but it has to be activated on kernel boot.

Userspace support requires the AUR package apparmor.

Not all the packages work out-of-the-box, but it is a work in progress. If you know how to build profiles yourself you shouldn't have too many problems. Also there is an AUR kernel which includes apparmor specific patches from Ubuntu's launchpad.

AUR/apparmor package

Added lot of features:

  • apparmor-parser
  • libapparmor
  • apparmor-utils
  • apparmor-profiles
  • apparmor-notify
  • apparmor-lib
  • apparmor-perl
  • apparmor-python
  • apparmor-ruby
  • apparmor-dbus
  • apparmor-profile-editor

But we still miss following features (TODO):

  • A systemd .service for every important daemon in AppArmor
  • chase missing dependencies
  • test everything
  • make list of files that should go to backup=() arrays in packages...
  • changehat modules for PAM(!), Apache and Tomcat (btw those are dependent on libapparmor)
  • out-of-box-experience know-how
    • make some package with profiles for all [core] packages enabled by default without need for any further user configuration
    • etc...
  • apparmor gnome applet (can't build, deprecated..., find a working Replacement)

Links

AppArmor Packages

Kernel Configuration

Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you do not need to touch it):

 CONFIG_SECURITY_APPARMOR=y
 CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0
 # CONFIG_DEFAULT_SECURITY_APPARMOR is not set

However, integration of AppArmor into the kernel is not quite complete. It is missing network mediation. See here for details. There are compatibility patches provided with the AppArmor tarball that can be applied to every recent kernel to reintroduce these interfaces. The patchset is pretty small and should be applied if you decide to use AppArmor. A suitably patched kernel is provided by the AUR package linux-apparmorAUR. Historic note: as of Linux 3.12, the profile introspection patch is not needed anymore.

Bootloader Configuration

Enable

To test profiles, or enforce the use of AppArmor it must be enabled at boot time. To do this add apparmor=1 security=apparmor to the kernel boot parameters.

After reboot you can test if AppArmor is really enabled using this command as root:

 # cat /sys/module/apparmor/parameters/enabled 
 Y

(Y=enabled, N=disabled, no such file = module not in kernel)

Disable

AppArmor will be disabled by default in Arch Linux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default. If so, Add apparmor=0 security="" to kernel boot parameters.

System Configuration

Mounts (/etc/fstab securityfs)

http://wiki.apparmor.net/index.php/Kernel_interfaces

 none     /sys/kernel/security securityfs defaults            0      0

Systemd support

The AUR package apparmorAUR includes a systemd service file that loads all AppArmor profiles in /etc/apparmor.d/. To enable it to run on boot, use:

# systemctl enable apparmor

UserSpace Tools

Users

You can currently install userspace tools from AUR.

Maintainers

You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: http://wiki.apparmor.net/index.php/AppArmor_versions e.g.: Kernel 2.6.36 is compatible with AppArmor 2.5.1

More Info

AppArmor, like most other LSMs, supplements rather than replaces the default Discretionary access control. As such it's impossible to grant a process more privileges than it had in the first place.

Ubuntu, SUSE and a number of other distributions use it by default. RHEL (and it's variants) use SELinux which requires good userspace integration to work properly. People tend to agree that it is also much much harder to configure correctly.

Taking a common example - A new Flash vulnerability: If you were to browse to a malicious website AppArmor can prevent the exploited plugin from accessing anything that may contain private information. In almost all browsers, plugins run out of process which makes isolating them much easier.

AppArmor profiles (usually) get stored in easy to read text files in /etc/apparmor.d

Every breach of policy triggers a message in the system log, and many distributions also integrate it into DBUS so that you get real-time violation warnings popping up on your desktop.

See also