Difference between revisions of "AppArmor"

From ArchWiki
Jump to: navigation, search
(Preventing circumvention of path-based MAC via links: rq)
(Parsing profiles: Describe option for loading a profile in complain mode)
 
(90 intermediate revisions by 23 users not shown)
Line 1: Line 1:
 
[[Category:Security]]
 
[[Category:Security]]
 
[[Category:Kernel]]
 
[[Category:Kernel]]
{{Out of date}}
+
[[ja:AppArmor]]
 +
{{Related articles start}}
 +
{{Related|Security}}
 +
{{Related|SELinux}}
 +
{{Related|TOMOYO Linux}}
 +
{{Related articles end}}
 +
[[Wikipedia:AppArmor|AppArmor]] is a [[Wikipedia:Mandatory_access_control|Mandatory Access Control]] (MAC) system, implemented upon the [[Wikipedia:Linux_Security_Modules|Linux Security Modules]] (LSM).
  
[[Wikipedia:AppArmor|AppArmor]] is a MAC (Mandatory Access Control) system, implemented upon LSM (Linux Security Modules).
+
AppArmor, like most other LSMs, supplements rather than replaces the default Discretionary Access Control (DAC). As such it's impossible to grant a process more privileges than it had in the first place.  
  
== Preventing circumvention of path-based MAC via links ==
+
Ubuntu, SUSE and a number of other distributions use it by default. RHEL (and it's variants) use SELinux which requires good userspace integration to work properly. SELinux attaches labels to all files, processes and objects and is therefore very flexible. However configuring SELinux is considered to be very complicated and requires a supported filesystem. AppArmor on the other hand works using file paths and its configuration can be easily adapted.
  
AppArmor can be circumvented via hardlinks in the standard POSIX security model. However, the kernel now includes the ability to prevent this vulnerability, without needing the patches distributions like Ubuntu have applied to their kernels as workarounds.
+
AppArmor proactively protects the operating system and applications from external or internal threats and even zero-day attacks by enforcing a specific rule set on a per application basis. Security policies completely define what system resources individual applications can access, and with what privileges. Access is denied by default if no profile says otherwise. A few default policies are included with AppArmor and using a combination of advanced static analysis and learning-based tools, AppArmor policies for even very complex applications can be deployed successfully in a matter of hours.
  
See [[Sysctl#Preventing_link_TOCTOU_vulnerabilities]] for details.
+
Every breach of policy triggers a message in the system log, and AppArmor can be configured to notify users with real-time violation warnings popping up on the desktop.
  
== Implementation Status ==
+
== Installation ==
AppArmor is currently available in the [https://bugs.archlinux.org/task/21406 Arch Linux kernel], but it has to be activated on kernel boot.
+
  
The userspace support requires [[AUR]] packages.
+
=== Kernel ===
  
* https://aur.archlinux.org/packages.php?ID=42279
+
{{Note|The highly disputed user namespace ({{ic|1=CONFIG_USER_NS=Y}}) isn't set in the [[kernel]] configuration, but may bring additional functionality to AppArmor. See {{bug|36969}} for details on user namespaces.}}
  
Not all the packages work out-of-the-box, but it is a work in progress. If you know how to build profiles yourself you shouldn't have too many problems.
+
When compiling the kernel, it is required to at least set the following options:
Also there is an [https://aur.archlinux.org/packages.php?ID=60269 AUR kernel]
+
which includes apparmor specific patches from Ubuntu's [https://launchpad.net/apparmor launchpad].
+
  
=== AUR/apparmor package ===
+
CONFIG_SECURITY_APPARMOR=y
Added lot of features:
+
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
* apparmor-parser
+
CONFIG_DEFAULT_SECURITY_APPARMOR=y
* libapparmor
+
CONFIG_AUDIT=y
 +
 
 +
For those new or altered variables to not get overridden, place them at the bottom of the config file or adjust the previous invocations accordingly.
 +
 
 +
Instead of setting {{ic|CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE}} and {{ic|CONFIG_DEFAULT_SECURITY_APPARMOR}}, you can also set [[kernel parameters|kernel boot parameters]]: {{ic|1=apparmor=1 security=apparmor}}.
 +
 
 +
=== Userspace Tools ===
 +
 
 +
{{Note|Since AppArmor builds and installs a kernel module it must be rebuilt against the current kernel on each update}}
 +
 
 +
The userspace tools and libraries to control AppArmor are supplied by the {{AUR|apparmor}} package.
 +
 
 +
The package is a split package which consists of following sub-packages:
 +
 
 +
* apparmor (meta package)
 +
* apparmor-libapparmor
 
* apparmor-utils
 
* apparmor-utils
 +
* apparmor-parser
 
* apparmor-profiles
 
* apparmor-profiles
* apparmor-notify
+
* apparmor-pam
* apparmor-lib
+
* apparmor-vim
* apparmor-perl
+
* apparmor-python
+
* apparmor-ruby
+
* apparmor-dbus
+
* apparmor-profile-editor
+
  
But we still miss following features (TODO):
+
To load all AppArmor profiles on startup, [[enable]] {{ic|apparmor.service}}.
* init (rc.d) scripts! http://aur.pastebin.com/beQ4BjGX
+
* chase missing dependencies
+
* test everything
+
* make list of files that should go to backup=() arrays in packages...
+
* changehat modules for PAM(!), Apache and Tomcat (btw those are dependent on libapparmor)
+
* out-of-box-experience know-how
+
** make some package with profiles for all [core] packages enabled by default without need for any further user configuration
+
** etc...
+
* apparmor gnome applet (can't build, deprecated...)
+
  
==== When compared to Ubuntu ====
+
=== Testing ===
we have almost everything that is in following Ubuntu packages:
+
* apparmor
+
* apparmor-profiles
+
* apparmor-utils
+
* apparmor-notify
+
* apparmor-docs
+
* libapparmor1
+
* libapparmor-dev
+
* libapparmor-perl
+
  
We do not have
+
After a reboot you can test if AppArmor is really enabled using this command as root:
* {{ic|/etc/init.d/apparmor}} http://aur.pastebin.com/beQ4BjGX
+
* packages: libapache2-mod-apparmor libpam-apparmor
+
* KNOW-HOW
+
  
== Links ==
+
{{hc|# cat /sys/module/apparmor/parameters/enabled|
* Official pages
+
Y
** Kernel: https://apparmor.wiki.kernel.org/ http://wiki.apparmor.net/index.php/Main_Page
+
}}
** Userspace: https://launchpad.net/apparmor
+
  
* http://www.kernel.org/pub/linux/security/apparmor/AppArmor-2.6/
+
(Y=enabled, N=disabled, no such file = module not in kernel)
* http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference
+
  
* http://ubuntuforums.org/showthread.php?t=1008906 (Tutorial)
+
== Disabling ==
* https://help.ubuntu.com/community/AppArmor
+
*{{Bug|21406}}
+
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt
+
* https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces
+
* https://apparmor.wiki.kernel.org/index.php/AppArmor_versions
+
* http://manpages.ubuntu.com/manpages/oneiric/man5/apparmor.d.5.html
+
* http://manpages.ubuntu.com/manpages/oneiric/man8/apparmor_parser.8.html
+
* https://apparmor.wiki.kernel.org/index.php/Distro_CentOS
+
* http://bodhizazen.net/aa-profiles/
+
* https://wiki.ubuntu.com/ApparmorProfileMigration
+
* [[wikipedia:Linux_Security_Modules]]
+
* https://apparmor.wiki.kernel.org/index.php/Gittutorial
+
  
== AppArmor Packages ==
+
To disable AppArmor for the current session, [[stop]] {{ic|apparmor.service}}, or [[disable]] it to prevent it from starting at the next boot.
* Arch's {{Pkg|linux}} package has AppArmor support
+
* aur/[https://aur.archlinux.org/packages.php?ID=42279 apparmor]
+
  
== Kernel Configuration ==
+
Alternatively you may choose to disable the kernel modules required by AppArmor by appending {{ic|1=apparmor=0 security=""}} to the [[kernel parameters|kernel boot parameters]].
Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you do not need to touch it):
+
  CONFIG_SECURITY_APPARMOR=y
+
  CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0
+
  # CONFIG_DEFAULT_SECURITY_APPARMOR is not set
+
  
However, integration of AppArmor into the 2.6.36 kernel is not quite complete. It is missing network mediation and some of the interfaces for introspection. See [https://apparmor.wiki.kernel.org/index.php/Apparmor/upstream_release_notes here] for details. There are compatibility patches that can be applied to every recent kernel to reintroduce these interfaces. The patchset is pretty small and should be applied if you decide to use AppArmor. (Note: the patchset for 2.6.39 works with Kernel 3.0.x)
+
== Configuration ==
  
== GRUB Configuration ==
+
=== Auditing and generating profiles ===
=== GRUB1 ===
+
To test profiles, or enforce the use of AppArmor it must be enabled at boot time. To do this add {{ic|1=apparmor=1 security=apparmor}} to the kernel boot parameters in {{ic|/boot/grub/menu.lst}} so the entry for the Arch Linux kernel looks something like
+
  
# (0) Arch Linux
+
To create new profiles using {{ic|aa-genprof}}, {{ic|auditd.service}} from the package {{Pkg|audit}} must be running. This is because Arch Linux adopted systemd and doesn't do kernel logging to file by default. Apparmor can grab kernel audit logs from the userspace auditd daemon, allowing you to build a profile.
title  Arch Linux [/boot/vmlinuz26]
+
To get kernel audit logs, you'll need to have rules in place to monitor the desired application. Most often a basic rule configured with {{man|8|auditctl|url=http://linux.die.net/man/8/auditctl}} will suffice:
root  (hd0,1)
+
kernel /boot/vmlinuz26 root=/dev/sdaX resume=/dev/sdaY ro '''apparmor=1 security=apparmor'''
+
initrd /boot/kernel26.img
+
  
Once you are happy with all your profiles, you may wish to force users to boot with AppArmor enabled. To do this add a password entry to the start of {{ic|/boot/grub/menu.lst}}. This will prevent users editing any boot entries or using the GRUB shell (which permits read access to any file on the system such as {{ic|/etc/shadow}}) before booting. You can also password protect any insecure entries in {{ic|/boot/grub/menu.lst}} that you do not want unauthorized users to boot by adding the lock command (or another password) immediately below the title line for that entry. See [[GRUB#Password_protection]] or [http://www.gnu.org/software/grub/manual/legacy/Security.html#Security Security in the GRUB Manual] for more details. If you are going through the trouble of securing GRUB, do not forget to secure your BIOS settings as well or users will be able to boot from their own CDs and USB sticks, gaining root access to the machine.
+
# auditctl -a exit,always -F arch=b64 -S all -F path=/usr/bin/chromium -F key=MonitorChromium
  
=== GRUB2 ===
+
but be sure to read [[Audit framework#Adding rules]] if this is unfamiliar to you.
  
==== Enable ====
+
{{Note|Remember to stop the service afterwards (and maybe clear {{ic|/var/log/audit/audit.log}}) because it may cause overhead depending on your rules.}}
Note that you can safely enable AppArmor and '''it will not affect the system''' at all until you enable it, load profiles, and set them to enforce mode with userspace tools. So you do not have to be afraid to enable AppArmor for testing purposes until you are enforcing AA profiles from init scripts (on each startup).
+
  
  # (0) Arch Linux
+
=== Understanding profiles ===
  menuentry "Arch Linux" {
+
    set root=(hd0,1)
+
    linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=1 security=apparmor'''
+
    initrd /kernel26.img
+
  }
+
  
After reboot you can test if AppArmor is really enabled using this command as root:
+
Profiles are human readable text files residing under {{ic|/etc/apparmor.d/}} describing how binaries should be treated when executed. A basic profile looks similar to this:
  # cat /sys/module/apparmor/parameters/enabled
+
  Y
+
(Y=enabled, N=disabled, no such file = module not in kernel)
+
  
==== Disable ====
+
{{hc|/etc/apparmor.d/usr.bin.test|
AppArmor will be disabled by default in Arch Linux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default.
+
#include <tunables/global>
  # (0) Arch Linux
+
  menuentry "Arch Linux" {
+
    set root=(hd0,1)
+
    linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=0 security=""'''
+
    initrd /kernel26.img
+
  }
+
  
== System Configuration ==
+
profile test /usr/lib/test/test_binary {
=== Mounts (/etc/fstab securityfs) ===
+
     #include <abstractions/base>
https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces
+
  none     /sys/kernel/security securityfs defaults            0      0
+
  
=== Init scripts ===
+
    # Main libraries and plugins
In the future, we'll implement some {{ic|/etc/rc.d/}} scripts that will enable and load profiles during startup.
+
    /usr/share/TEST/** r,
http://aur.pastebin.com/beQ4BjGX
+
    /usr/lib/TEST/** rm,
  
The RC.d file of Slackware might be more interesting than Ubuntu's init.d version http://bazaar.launchpad.net/~apparmor-dev/apparmor/2.8/view/head:/parser/rc.apparmor.slackware. NOTE: when using {{ic|/usr/lib/apparmor/rc.apparmor.functions}} (indirectly used by rc.apparmor.slackware) or the {{ic|aa-status}} program, you NEED a kernel with [http://bazaar.launchpad.net/~apparmor-dev/apparmor/2.8/view/head:/kernel-patches/3.4/0001-UBUNTU-SAUCE-AppArmor-Add-profile-introspection-file.patch 0001-UBUNTU-SAUCE-AppArmor-Add-profile-introspection-file.patch]. This is at least true for AppArmor 2.8, in version 2.9 things will go into mainline and a different interface will be used for introspecting profiles.
+
    # Configuration files and logs
 +
    @{HOME}/.config/ r,
 +
    @{HOME}/.config/TEST/** rw,
 +
}
 +
}}
  
==== For developers ====
+
Text preceded by a {{ic|@}} symbol are variables defined by abstractions ({{ic|/etc/apparmor.d/abstractions/}}), tunables ({{ic|/etc/apparmor.d/tunables/}}) or by the profile itself. {{ic|#include}} includes other profile-files directly. Paths followed by a set of characters are [http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#File_access_rules access permissions]. Pattern matching is done using [http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#AppArmor_globbing_syntax AppArmor's globbing syntax].
  
From {{ic|/lib/apparmor/rc.apparmor.functions}}
+
Most common use cases are covered by the following statements:
  
  # NOTE: rc.apparmor initscripts that source this file need to implement
+
* {{ic|r}} — read: read data
  # the following set of functions:
+
* {{ic|w}} — write: create, delete, write to a file and extend it
  # aa_action
+
* {{ic|m}} — memory map executable: memory map a file executable
  # aa_log_action_start
+
* {{ic|x}} — execute: execute file; needs to be preceded by a [http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Execute_rules qualifier]
  # aa_log_action_end
+
  # aa_log_success_msg
+
  # aa_log_warning_msg
+
  # aa_log_failure_msg
+
  # aa_log_skipped_msg
+
  # aa_log_daemon_msg
+
  # aa_log_end_msg
+
  
== UserSpace Tools ==
+
Remember that those permission do not allow binaries to exceed the permission dictated by the Discretionary Access Control (DAC).
=== Users ===
+
You can currently install userspace tools from [[AUR]].
+
  
=== Maintainers ===
+
This is merely a short overview, for a more detailed guide be sure to have a look at the [http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference documentation].
You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: https://apparmor.wiki.kernel.org/index.php/AppArmor_versions
+
e.g.: Kernel 2.6.36 is compatible with AppArmor 2.5.1
+
  
== More Info ==
+
=== Parsing profiles ===
AppArmor, like most other LSMs, supplements rather than replaces the default Discretionary access control. As such it's impossible to grant a process more privileges than it had in the first place.
+
  
Ubuntu, SUSE and a number of other distributions use it by default. RHEL (and it's variants) use SELinux which requires good userspace integration to work properly. People tend to agree that it is also much much harder to configure correctly.  
+
To load (enforce or complain), unload, reload, cache and stat profiles use {{ic|apparmor_parser}}. The default action ({{ic|-a}}) is to load a new profile in enforce mode, loading it in complain mode is possible using the {{ic|-C}} switch, in order to overwrite an existing profile use the {{ic|-r}} option and to remove a profile use {{ic|-R}}. Each action may also apply to multiple profiles. Refer to {{man|8|apparmor_parser|url=http://man.cx/apparmor_parser(8)}} man page for more information.
  
Taking a common example - A new Flash vulnerability: If you were to browse to a malicious website AppArmor can prevent the exploited plugin from accessing anything that may contain private information. In almost all browsers, plugins run out of process which makes isolating them much easier.
+
== Security considerations ==
  
AppArmor profiles (usually) get stored in easy to read text files in {{ic|/etc/apparmor.d}}
+
=== Preventing circumvention of path-based MAC via links ===
  
Every breach of policy triggers a message in the system log, and many distributions also integrate it into DBUS so that you get real-time violation warnings popping up on your desktop.
+
AppArmor can be circumvented via hardlinks in the standard POSIX security model. However, the kernel [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7 included] the ability to prevent this vulnerability via the following settings:
 +
 
 +
{{hc|/usr/lib/sysctl.d/50-default.conf|2=
 +
...
 +
fs.protected_hardlinks = 1
 +
fs.protected_symlinks = 1}}
 +
 
 +
Patches distributions like Ubuntu have applied to their kernels as workarounds as not needed anymore.
 +
 
 +
== Tips and tricks ==
 +
 
 +
=== Get desktop notification on DENIED actions ===
 +
 
 +
The notify daemon displays desktop notifications whenever AppArmor denies a program access. The script must be started at each boot and needs a few additional parameters:
 +
 
 +
# aa-notify -p -f /var/log/audit/audit.log --display $DISPLAY
 +
 
 +
The daemon relies on the auditing events being logged to a text file which can be specified using {{ic|-f}}. To circumvent [[systemd]] not logging to a file it is necessary to [[enable]] {{ic|auditd.service}} and pass its log file to {{ic|aa-notify}}. No special auditing rules are necessary for this to work, therefore the overhead is not as significant as it was when [[#Creating new profiles]].
 +
 
 +
=== Cache profiles ===
 +
 
 +
Since AppArmor has to translate the configured profiles into a binary format it may take some time to load them. Besides being bothersome for the user, it may also increases the boot time significantly!
 +
 
 +
To circumvent some of those problems AppArmor can cache profiles in {{ic|/etc/apparmor.d/cache/}}. However this behaviour is disabled by default therefore it must be done manually with {{ic|apparmor_parser}}. In order to write to the cache use {{ic|-W}} (overwrite existing profiles with {{ic|-T}}) and reload the profiles using {{ic|-r}}. Refer to [[#Parsing profiles]] for a brief overview of additional arguments.
  
 
== See also ==
 
== See also ==
* [[TOMOYO Linux]]
+
 
* [[SELinux]]
+
* [http://wiki.apparmor.net/ AppArmor wiki]
 +
* [http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference AppArmor Core Policy Reference] — Detailed description of available options in a profile
 +
* [http://ubuntuforums.org/showthread.php?t=1008906 Ubuntu Tutorial] — General overview of available utilities and profile creation
 +
* [https://help.ubuntu.com/community/AppArmor Ubuntu Wiki] — Basic command overview
 +
* [http://wiki.apparmor.net/index.php/AppArmor_versions AppArmor Verions] — Version overview and links to the respective release notes
 +
* {{man|5|apparmor.d|url=http://manpages.ubuntu.com/manpages/oneiric/man5/apparmor.d.5.html}} — Structure of the AppArmor configuration directory
 +
* {{man|8|apparmor_parse|url=http://manpages.ubuntu.com/manpages/oneiric/man8/apparmor_parser.8.html}} — The most fundamental AppArmor utility to load, unload, cache and stat profiles
 +
* [http://wiki.apparmor.net/index.php/Kernel_interfaces Kernel Interfaces] — Low level interfaces to the AppArmor kernel module
 +
* [https://wiki.ubuntu.com/ApparmorProfileMigration Apparmor Profile Migration] — Emergence of profiles
 +
* [[wikipedia:Linux Security Modules]] — Linux kernel module on which basis AppArmor is build upon
 +
* [https://launchpad.net/apparmor Launchpad Project Page]
 +
* {{Bug|21406}} — Initial discussion about the introduction of AppArmor

Latest revision as of 19:31, 29 November 2016

Related articles

AppArmor is a Mandatory Access Control (MAC) system, implemented upon the Linux Security Modules (LSM).

AppArmor, like most other LSMs, supplements rather than replaces the default Discretionary Access Control (DAC). As such it's impossible to grant a process more privileges than it had in the first place.

Ubuntu, SUSE and a number of other distributions use it by default. RHEL (and it's variants) use SELinux which requires good userspace integration to work properly. SELinux attaches labels to all files, processes and objects and is therefore very flexible. However configuring SELinux is considered to be very complicated and requires a supported filesystem. AppArmor on the other hand works using file paths and its configuration can be easily adapted.

AppArmor proactively protects the operating system and applications from external or internal threats and even zero-day attacks by enforcing a specific rule set on a per application basis. Security policies completely define what system resources individual applications can access, and with what privileges. Access is denied by default if no profile says otherwise. A few default policies are included with AppArmor and using a combination of advanced static analysis and learning-based tools, AppArmor policies for even very complex applications can be deployed successfully in a matter of hours.

Every breach of policy triggers a message in the system log, and AppArmor can be configured to notify users with real-time violation warnings popping up on the desktop.

Installation

Kernel

Note: The highly disputed user namespace (CONFIG_USER_NS=Y) isn't set in the kernel configuration, but may bring additional functionality to AppArmor. See FS#36969 for details on user namespaces.

When compiling the kernel, it is required to at least set the following options:

CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
CONFIG_DEFAULT_SECURITY_APPARMOR=y
CONFIG_AUDIT=y

For those new or altered variables to not get overridden, place them at the bottom of the config file or adjust the previous invocations accordingly.

Instead of setting CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE and CONFIG_DEFAULT_SECURITY_APPARMOR, you can also set kernel boot parameters: apparmor=1 security=apparmor.

Userspace Tools

Note: Since AppArmor builds and installs a kernel module it must be rebuilt against the current kernel on each update

The userspace tools and libraries to control AppArmor are supplied by the apparmorAUR package.

The package is a split package which consists of following sub-packages:

  • apparmor (meta package)
  • apparmor-libapparmor
  • apparmor-utils
  • apparmor-parser
  • apparmor-profiles
  • apparmor-pam
  • apparmor-vim

To load all AppArmor profiles on startup, enable apparmor.service.

Testing

After a reboot you can test if AppArmor is really enabled using this command as root:

# cat /sys/module/apparmor/parameters/enabled
Y

(Y=enabled, N=disabled, no such file = module not in kernel)

Disabling

To disable AppArmor for the current session, stop apparmor.service, or disable it to prevent it from starting at the next boot.

Alternatively you may choose to disable the kernel modules required by AppArmor by appending apparmor=0 security="" to the kernel boot parameters.

Configuration

Auditing and generating profiles

To create new profiles using aa-genprof, auditd.service from the package audit must be running. This is because Arch Linux adopted systemd and doesn't do kernel logging to file by default. Apparmor can grab kernel audit logs from the userspace auditd daemon, allowing you to build a profile. To get kernel audit logs, you'll need to have rules in place to monitor the desired application. Most often a basic rule configured with auditctl(8) will suffice:

# auditctl -a exit,always -F arch=b64 -S all -F path=/usr/bin/chromium -F key=MonitorChromium

but be sure to read Audit framework#Adding rules if this is unfamiliar to you.

Note: Remember to stop the service afterwards (and maybe clear /var/log/audit/audit.log) because it may cause overhead depending on your rules.

Understanding profiles

Profiles are human readable text files residing under /etc/apparmor.d/ describing how binaries should be treated when executed. A basic profile looks similar to this:

/etc/apparmor.d/usr.bin.test
#include <tunables/global>

profile test /usr/lib/test/test_binary {
    #include <abstractions/base>

    # Main libraries and plugins
    /usr/share/TEST/** r,
    /usr/lib/TEST/** rm,

    # Configuration files and logs
    @{HOME}/.config/ r,
    @{HOME}/.config/TEST/** rw,
}

Text preceded by a @ symbol are variables defined by abstractions (/etc/apparmor.d/abstractions/), tunables (/etc/apparmor.d/tunables/) or by the profile itself. #include includes other profile-files directly. Paths followed by a set of characters are access permissions. Pattern matching is done using AppArmor's globbing syntax.

Most common use cases are covered by the following statements:

  • r — read: read data
  • w — write: create, delete, write to a file and extend it
  • m — memory map executable: memory map a file executable
  • x — execute: execute file; needs to be preceded by a qualifier

Remember that those permission do not allow binaries to exceed the permission dictated by the Discretionary Access Control (DAC).

This is merely a short overview, for a more detailed guide be sure to have a look at the documentation.

Parsing profiles

To load (enforce or complain), unload, reload, cache and stat profiles use apparmor_parser. The default action (-a) is to load a new profile in enforce mode, loading it in complain mode is possible using the -C switch, in order to overwrite an existing profile use the -r option and to remove a profile use -R. Each action may also apply to multiple profiles. Refer to apparmor_parser(8) man page for more information.

Security considerations

Preventing circumvention of path-based MAC via links

AppArmor can be circumvented via hardlinks in the standard POSIX security model. However, the kernel included the ability to prevent this vulnerability via the following settings:

/usr/lib/sysctl.d/50-default.conf
...
fs.protected_hardlinks = 1
fs.protected_symlinks = 1

Patches distributions like Ubuntu have applied to their kernels as workarounds as not needed anymore.

Tips and tricks

Get desktop notification on DENIED actions

The notify daemon displays desktop notifications whenever AppArmor denies a program access. The script must be started at each boot and needs a few additional parameters:

# aa-notify -p -f /var/log/audit/audit.log --display $DISPLAY

The daemon relies on the auditing events being logged to a text file which can be specified using -f. To circumvent systemd not logging to a file it is necessary to enable auditd.service and pass its log file to aa-notify. No special auditing rules are necessary for this to work, therefore the overhead is not as significant as it was when #Creating new profiles.

Cache profiles

Since AppArmor has to translate the configured profiles into a binary format it may take some time to load them. Besides being bothersome for the user, it may also increases the boot time significantly!

To circumvent some of those problems AppArmor can cache profiles in /etc/apparmor.d/cache/. However this behaviour is disabled by default therefore it must be done manually with apparmor_parser. In order to write to the cache use -W (overwrite existing profiles with -T) and reload the profiles using -r. Refer to #Parsing profiles for a brief overview of additional arguments.

See also