From ArchWiki
Revision as of 02:08, 30 October 2010 by Harvie (talk | contribs) (→‎Links)
Jump to navigation Jump to search

AppArmor is a MAC (Mandatory Access Control) system, implemented upon LSM (Linux Security Modules).

Implementation Status

AppArmor is currently available in Arch Linux kernel and AUR, but we still don't have the user-space tools tested:

It will take some time to make everything work Out-of-the-box.

aur/apparmor package

Added lot of features:

  • apparmor-parser
  • libapparmor
  • apparmor-utils
  • apparmor-profiles
  • apparmor-notify
  • apparmor-lib
  • apparmor-perl
  • apparmor-python
  • apparmor-ruby
  • apparmor-dbus
  • apparmor-profile-editor

But we still miss following features (TODO):

  • init (rc.d) scripts!
  • changehat modules for PAM(!), Apache and Tomcat (btw those are dependent on libapparmor)
  • out-of-box-experience know-how
  • Split-package (Can't do this in AUR. Right now it's all-in-one package.)
  • apparmor gnome applet (can't build, deprecated...)

When compared to Ubuntu

we have almost everything that is in following Ubuntu packages:

  • apparmor
  • apparmor-profiles
  • apparmor-utils
  • apparmor-notify
  • apparmor-docs
  • libapparmor1
  • libapparmor-dev
  • libapparmor-perl

We don't have

  • /etc/init.d/apparmor
  • packages: libapache2-mod-apparmor libpam-apparmor


AppArmor Packages

  • kernel26 2.6.36 (currently in [testing] have AppArmor support)
  • aur/apparmor

Kernel Configuration

Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you don't need to touch it):


GRUB Configuration




Note that you can safely enable apparmor and it will not affect the system at all until you will enable it, load profiles and set them to enforce mode by userspace tools. So you don't have to be afraid to enable AA for testing purposes until you are enforcing AA profiles from init scripts (on each startup).

 # (0) Arch Linux
 menuentry "Arch Linux" {
   set root=(hd0,1)
   linux /vmlinuz26 root=/dev/sda1 ro apparmor=1 security=apparmor
   initrd /kernel26.img

After reboot you can test if apparmor is really enabled using this command as root:

 # cat /sys/module/apparmor/parameters/enabled 

(Y=enabled, N=disabled, no such file = module not in kernel)


AppArmor will be disabled by default in ArchLinux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default.

 # (0) Arch Linux
 menuentry "Arch Linux" {
   set root=(hd0,1)
   linux /vmlinuz26 root=/dev/sda1 ro apparmor=0 security=""
   initrd /kernel26.img

System Configuration

Mounts (/etc/fstab securityfs)

 securityfs     /sys/kernel/security securityfs defaults            0      0

Init scripts

In future we'll implement some /etc/rc.d/ scripts that will enable and load profiles during startup.

UserSpace Tools


You can currently install userspace tools from AUR.


You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: eg.: Kernel 2.6.36 is compatible with AppArmor 2.5.1

More Info

Ubuntu, Suse and a number of other Linux distributions use it. Redhat uses SELINUX which is apparently a little bit more difficult to configure properly. There exists another framework called Tomoyo but it is not currently integrated with any distributions.

It suplements, rather than replaces the standard POSIX access control system.

What you can do with it is very easily create profiles for applications which either acccess the Internet or listen via IP (e.g servers).

One may specify at quite a fine grained level what applications may or may not do.

Taking a common example - Firefox is frequently the victim of Zero day exploits. If you were to browse to a website that ran a buffer overflow or such thing against your browser - all data accessible to Firefox would then belong to the attackers, think SSH keys, password stores etc etc.

Likewise Wireshark (tcpdump) has had decoder modules with buffer overflows before, imagine the scenario - you suspect a server has been compromised, run a packet capture on the network, and then your own machine is compromised (tcpdump must run as root).

For both these applications, apparmor profiles exist. The configuration is stored in easy to read text files in /etc/apparmor.d/<application name>.

You can lock down your applications using wildcards, specifying for example that Firefox can only read the ~/Downloads folder and it's own profile directory, that it cannot create shell processes etc.

Every breach of policy triggers a message in the syslog, many distributions also integrate it into DBUS so that you get realtime violation warnings popping up on your desktop.

See also