Difference between revisions of "AppArmor"

From ArchWiki
Jump to: navigation, search
m (Updated all the links to the apparmor wiki)
m (Fix style)
 
(33 intermediate revisions by 15 users not shown)
Line 1: Line 1:
 
[[Category:Security]]
 
[[Category:Security]]
 
[[Category:Kernel]]
 
[[Category:Kernel]]
{{Out of date}}
+
[[ja:AppArmor]]
 +
[[Wikipedia:AppArmor|AppArmor]] is a [[Wikipedia:Mandatory_access_control|Mandatory Access Control]] (MAC) system, implemented upon the [[Wikipedia:Linux_Security_Modules|Linux Security Modules]] (LSM).
  
[[Wikipedia:AppArmor|AppArmor]] is a MAC (Mandatory Access Control) system, implemented upon LSM (Linux Security Modules).
+
== Installation ==
 +
=== Kernel ===
  
== Preventing circumvention of path-based MAC via links ==
+
When compiling the kernel, it needs the following options:
 +
  CONFIG_SECURITY_APPARMOR=y
 +
  CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
 +
  CONFIG_DEFAULT_SECURITY_APPARMOR=y
 +
  CONFIG_AUDIT=y
 +
 
 +
Instead of setting {{ic|CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE}} and {{ic|CONFIG_DEFAULT_SECURITY_APPARMOR}}, you can also set [[kernel parameters|kernel boot parameters]]: {{ic|apparmor=1 security=apparmor}}.
 +
 
 +
There also is a stock kernel with AppArmor: {{AUR|linux-apparmor}}{{Broken package link|{{aur-mirror|linux-apparmor}}}}. However, as of May 2015, the kernel is outdated.
 +
 
 +
=== Userspace Tools ===
 +
 
 +
The userspace tools and libraries to control AppArmor are supplied by the {{AUR|apparmor}} package.
 +
 
 +
The package is a split package which consists of following sub-packages:
 +
* apparmor (meta package)
 +
* apparmor-libapparmor
 +
* apparmor-utils
 +
* apparmor-parser
 +
* apparmor-profiles
 +
* apparmor-pam
 +
* apparmor-vim
 +
 
 +
To load all AppArmor profiles on startup, the {{AUR|apparmor}} package includes a systemd unit:
 +
{{bc|# systemctl enable apparmor}}
 +
 
 +
=== Testing ===
 +
 
 +
After reboot you can test if AppArmor is really enabled using this command as root:
 +
  # cat /sys/module/apparmor/parameters/enabled
 +
  Y
 +
(Y=enabled, N=disabled, no such file = module not in kernel)
 +
 
 +
{{Note|Since AppArmor builds and installs a kernel module it must be rebuilt against the current kernel on each update}}
 +
 
 +
== Disabling ==
 +
To disable AppArmor temporarily, you can add {{ic|apparmor=0 security=""}} to the [[kernel parameters|kernel boot parameters]].
 +
 
 +
Alternatively run
 +
# systemctl stop apparmor.service
 +
to disable it for the current session.
 +
 
 +
== Creating new profiles ==
 +
To create new profiles using {{ic|aa-genprof}}, {{ic|auditd.service}} from the package {{Pkg|audit}} must be running.
 +
Be sure to stop the service afterwards (and maybe clear {{ic|/var/log/audit/audit.log}}) because it causes overhead.
 +
 
 +
== Security considerations ==
 +
=== Preventing circumvention of path-based MAC via links ===
  
 
AppArmor can be circumvented via hardlinks in the standard POSIX security model. However, the kernel now includes the ability to prevent this vulnerability, without needing the patches distributions like Ubuntu have applied to their kernels as workarounds.
 
AppArmor can be circumvented via hardlinks in the standard POSIX security model. However, the kernel now includes the ability to prevent this vulnerability, without needing the patches distributions like Ubuntu have applied to their kernels as workarounds.
  
See [[Sysctl#Preventing_link_TOCTOU_vulnerabilities]] for details.
+
See [[Security#Preventing link TOCTOU vulnerabilities]] for details.
  
== Implementation Status ==
+
== Tips and tricks ==
AppArmor is currently available in the [https://bugs.archlinux.org/task/21406 Arch Linux kernel], but it has to be activated on kernel boot.  
+
=== Get desktop notification on DENIED actions ===
 +
To get a notification on your desktop whenever AppArmor enters a "DENIED" log entry start the notify daemon by
 +
# aa-notify -p --display $DISPLAY
 +
This daemon must be started at each boot.
  
The userspace support requires [[AUR]] packages.
+
== More Info ==
 +
AppArmor, like most other LSMs, supplements rather than replaces the default Discretionary access control. As such it's impossible to grant a process more privileges than it had in the first place.  
  
* https://aur.archlinux.org/packages.php?ID=42279
+
Ubuntu, SUSE and a number of other distributions use it by default. RHEL (and it's variants) use SELinux which requires good userspace integration to work properly. People tend to agree that it is also much much harder to configure correctly.  
  
Not all the packages work out-of-the-box, but it is a work in progress. If you know how to build profiles yourself you shouldn't have too many problems.  
+
Taking a common example - A new Flash vulnerability: If you were to browse to a malicious website AppArmor can prevent the exploited plugin from accessing anything that may contain private information. In almost all browsers, plugins run out of process which makes isolating them much easier.
Also there is an [https://aur.archlinux.org/packages.php?ID=60269 AUR kernel]
+
which includes apparmor specific patches from Ubuntu's [https://launchpad.net/apparmor launchpad].  
+
  
=== AUR/apparmor package ===
+
AppArmor profiles (usually) get stored in easy to read text files in {{ic|/etc/apparmor.d}}
Added lot of features:
+
* apparmor-parser
+
* libapparmor
+
* apparmor-utils
+
* apparmor-profiles
+
* apparmor-notify
+
* apparmor-lib
+
* apparmor-perl
+
* apparmor-python
+
* apparmor-ruby
+
* apparmor-dbus
+
* apparmor-profile-editor
+
  
But we still miss following features (TODO):
+
Every breach of policy triggers a message in the system log, and many distributions also integrate it into DBUS so that you get real-time violation warnings popping up on your desktop.
* init (rc.d) scripts! http://aur.pastebin.com/beQ4BjGX
+
* chase missing dependencies
+
* test everything
+
* make list of files that should go to backup=() arrays in packages...
+
* changehat modules for PAM(!), Apache and Tomcat (btw those are dependent on libapparmor)
+
* out-of-box-experience know-how
+
** make some package with profiles for all [core] packages enabled by default without need for any further user configuration
+
** etc...
+
* apparmor gnome applet (can't build, deprecated...)
+
  
 
== Links ==
 
== Links ==
 
* Official pages
 
* Official pages
** Kernel: https://apparmor.wiki.kernel.org/ http://wiki.apparmor.net/index.php/Main_Page
+
** Kernel: https://apparmor.wiki.kernel.org/ http://wiki.apparmor.net/
 
** Userspace: https://launchpad.net/apparmor
 
** Userspace: https://launchpad.net/apparmor
  
Line 66: Line 96:
 
* http://bodhizazen.net/aa-profiles/
 
* http://bodhizazen.net/aa-profiles/
 
* https://wiki.ubuntu.com/ApparmorProfileMigration
 
* https://wiki.ubuntu.com/ApparmorProfileMigration
* [[wikipedia:Linux_Security_Modules]]
+
* [[wikipedia:Linux Security Modules]]
 
* http://wiki.apparmor.net/index.php/Gittutorial
 
* http://wiki.apparmor.net/index.php/Gittutorial
 
== AppArmor Packages ==
 
* Arch's {{Pkg|linux}} package has AppArmor support
 
* aur/[https://aur.archlinux.org/packages.php?ID=42279 apparmor]
 
 
== Kernel Configuration ==
 
Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you do not need to touch it):
 
  CONFIG_SECURITY_APPARMOR=y
 
  CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0
 
  # CONFIG_DEFAULT_SECURITY_APPARMOR is not set
 
 
However, integration of AppArmor into the 2.6.36 kernel is not quite complete. It is missing network mediation and some of the interfaces for introspection. See [https://apparmor.wiki.kernel.org/index.php/Apparmor/upstream_release_notes here] for details. There are compatibility patches that can be applied to every recent kernel to reintroduce these interfaces. The patchset is pretty small and should be applied if you decide to use AppArmor. (Note: the patchset for 2.6.39 works with Kernel 3.0.x)
 
 
== Bootloader Configuration ==
 
=== Enable ===
 
To test profiles, or enforce the use of AppArmor it must be enabled at boot time. To do this add {{ic|1=apparmor=1 security=apparmor}} to the [[kernel parameters|kernel boot parameters]].
 
 
After reboot you can test if AppArmor is really enabled using this command as root:
 
  # cat /sys/module/apparmor/parameters/enabled
 
  Y
 
(Y=enabled, N=disabled, no such file = module not in kernel)
 
 
==== Disable ====
 
AppArmor will be disabled by default in Arch Linux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default. If so, Add {{ic|1=apparmor=0 security=""}} to [[kernel parameters|kernel boot parameters]].
 
 
== System Configuration ==
 
=== Mounts (/etc/fstab securityfs) ===
 
http://wiki.apparmor.net/index.php/Kernel_interfaces
 
  none    /sys/kernel/security securityfs defaults            0      0
 
 
== UserSpace Tools ==
 
=== Users ===
 
You can currently install userspace tools from [[AUR]].
 
 
=== Maintainers ===
 
You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: http://wiki.apparmor.net/index.php/AppArmor_versions
 
e.g.: Kernel 2.6.36 is compatible with AppArmor 2.5.1
 
 
== More Info ==
 
AppArmor, like most other LSMs, supplements rather than replaces the default Discretionary access control. As such it's impossible to grant a process more privileges than it had in the first place.
 
 
Ubuntu, SUSE and a number of other distributions use it by default. RHEL (and it's variants) use SELinux which requires good userspace integration to work properly. People tend to agree that it is also much much harder to configure correctly.
 
 
Taking a common example - A new Flash vulnerability: If you were to browse to a malicious website AppArmor can prevent the exploited plugin from accessing anything that may contain private information. In almost all browsers, plugins run out of process which makes isolating them much easier.
 
 
AppArmor profiles (usually) get stored in easy to read text files in {{ic|/etc/apparmor.d}}
 
 
Every breach of policy triggers a message in the system log, and many distributions also integrate it into DBUS so that you get real-time violation warnings popping up on your desktop.
 
  
 
== See also ==
 
== See also ==
 
* [[TOMOYO Linux]]
 
* [[TOMOYO Linux]]
 
* [[SELinux]]
 
* [[SELinux]]

Latest revision as of 03:37, 22 December 2015

AppArmor is a Mandatory Access Control (MAC) system, implemented upon the Linux Security Modules (LSM).

Installation

Kernel

When compiling the kernel, it needs the following options:

 CONFIG_SECURITY_APPARMOR=y
 CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
 CONFIG_DEFAULT_SECURITY_APPARMOR=y
 CONFIG_AUDIT=y

Instead of setting CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE and CONFIG_DEFAULT_SECURITY_APPARMOR, you can also set kernel boot parameters: apparmor=1 security=apparmor.

There also is a stock kernel with AppArmor: linux-apparmorAUR[broken link: archived in aur-mirror]. However, as of May 2015, the kernel is outdated.

Userspace Tools

The userspace tools and libraries to control AppArmor are supplied by the apparmorAUR package.

The package is a split package which consists of following sub-packages:

  • apparmor (meta package)
  • apparmor-libapparmor
  • apparmor-utils
  • apparmor-parser
  • apparmor-profiles
  • apparmor-pam
  • apparmor-vim

To load all AppArmor profiles on startup, the apparmorAUR package includes a systemd unit:

# systemctl enable apparmor

Testing

After reboot you can test if AppArmor is really enabled using this command as root:

 # cat /sys/module/apparmor/parameters/enabled 
 Y

(Y=enabled, N=disabled, no such file = module not in kernel)

Note: Since AppArmor builds and installs a kernel module it must be rebuilt against the current kernel on each update

Disabling

To disable AppArmor temporarily, you can add apparmor=0 security="" to the kernel boot parameters.

Alternatively run

# systemctl stop apparmor.service

to disable it for the current session.

Creating new profiles

To create new profiles using aa-genprof, auditd.service from the package audit must be running. Be sure to stop the service afterwards (and maybe clear /var/log/audit/audit.log) because it causes overhead.

Security considerations

Preventing circumvention of path-based MAC via links

AppArmor can be circumvented via hardlinks in the standard POSIX security model. However, the kernel now includes the ability to prevent this vulnerability, without needing the patches distributions like Ubuntu have applied to their kernels as workarounds.

See Security#Preventing link TOCTOU vulnerabilities for details.

Tips and tricks

Get desktop notification on DENIED actions

To get a notification on your desktop whenever AppArmor enters a "DENIED" log entry start the notify daemon by

# aa-notify -p --display $DISPLAY

This daemon must be started at each boot.

More Info

AppArmor, like most other LSMs, supplements rather than replaces the default Discretionary access control. As such it's impossible to grant a process more privileges than it had in the first place.

Ubuntu, SUSE and a number of other distributions use it by default. RHEL (and it's variants) use SELinux which requires good userspace integration to work properly. People tend to agree that it is also much much harder to configure correctly.

Taking a common example - A new Flash vulnerability: If you were to browse to a malicious website AppArmor can prevent the exploited plugin from accessing anything that may contain private information. In almost all browsers, plugins run out of process which makes isolating them much easier.

AppArmor profiles (usually) get stored in easy to read text files in /etc/apparmor.d

Every breach of policy triggers a message in the system log, and many distributions also integrate it into DBUS so that you get real-time violation warnings popping up on your desktop.

Links

See also