特殊:Badtitle/NS100:AppArmor:修订间差异
小 新页面: {{From|https://help.ubuntu.com/community/AppArmor}} {{Languages|UbuntuHelp:AppArmor}} == Introduction == AppArmor is a Linux Security Module implementation of name-based access control... |
小无编辑摘要 |
||
(未显示同一用户的14个中间版本) | |||
第1行: | 第1行: | ||
{{From|https://help.ubuntu.com/community/AppArmor}} | {{From|https://help.ubuntu.com/community/AppArmor}} | ||
{{Languages|UbuntuHelp:AppArmor}} | {{Languages|UbuntuHelp:AppArmor}} | ||
#title AppArmor | |||
== Introduction == | == Introduction == | ||
AppArmor is a Linux Security Module implementation of name-based access controls. AppArmor confines individual programs to a set of listed files and posix 1003.1e draft capabilities. | AppArmor is a Linux Security Module implementation of name-based access controls. AppArmor confines individual programs to a set of listed files and posix 1003.1e draft capabilities. | ||
AppArmor was first made available to Ubuntu in Ubuntu 7.04 in Universe. | AppArmor was first made available to Ubuntu in Ubuntu 7.04 in Universe. | ||
Further information about AppArmor can be found on the AppArmor project's [http://apparmor.wiki.kernel.org wiki]. | |||
== Installation == | == Installation == | ||
=== Ubuntu 8.04 (Hardy) and Higher === | |||
AppArmor is installed and loaded by default in Hardy. Some packages will install their own '''enforcing''' profiles. Additional profiles can be found in the package ''apparmor-profiles'' from the Universe repository. When filing bugs against an installed apparmor profile, please see: https://wiki.ubuntu.com/DebuggingApparmor | |||
==== Install additional AppArmor profiles ==== | |||
* Enable the Universe repository. | |||
* Install ''[[UbuntuHelp:apt:apparmor-profiles|apparmor-profiles]]''. Click the link to install, or see [[UbuntuHelp:InstallingSoftware|InstallingSoftware]] for more installation options. | |||
=== Ubuntu 7.10 (Gutsy) === | === Ubuntu 7.10 (Gutsy) === | ||
AppArmor is installed and loaded by default in Gutsy. Some packages will install their own profiles. Additional profiles can be found in the package ''apparmor-profiles'' from the Universe repository. When filing bugs against an installed apparmor profile, please see: https://wiki.ubuntu.com/DebuggingApparmor | |||
AppArmor is installed and loaded by default in Gutsy. Some packages will install their own profiles. Additional profiles can found in the package ''apparmor-profiles'' from the Universe repository. | |||
==== Install additional AppArmor profiles ==== | ==== Install additional AppArmor profiles ==== | ||
* Enable the Universe repository. | * Enable the Universe repository. | ||
* Install ''apparmor-profiles''. | * Install ''[[UbuntuHelp:apt:apparmor-profiles|apparmor-profiles]]''. Click the link to install, or see [[UbuntuHelp:InstallingSoftware|InstallingSoftware]] for more installation options. | ||
=== Ubuntu 7.04 (Feisty) === | === Ubuntu 7.04 (Feisty) === | ||
AppArmor is not included by default in the Feisty kernel. It needs to be compiled manually. | AppArmor is not included by default in the Feisty kernel. It needs to be compiled manually. | ||
* Enable the Universe repository. | * Enable the Universe repository. | ||
* Install ''apparmor-modules-source'' and ''module-assistant'' packages. | * Install ''[[UbuntuHelp:apt:apparmor-modules-source|apparmor-modules-source]]'' and ''[[UbuntuHelp:apt:module-assistant|module-assistant]]'' packages. Click the links to install, or see [[UbuntuHelp:InstallingSoftware|InstallingSoftware]] for more installation options. | ||
* Compile the apparmor kernel module : | * Compile the apparmor kernel module : | ||
<pre><nowiki> | <pre><nowiki> | ||
第31行: | 第27行: | ||
sudo m-a -v -t install apparmor-modules | sudo m-a -v -t install apparmor-modules | ||
</nowiki></pre> | </nowiki></pre> | ||
* Install ''apparmor-profiles'', ''apparmor-utils'' and ''apparmor'' packages. | * Install ''[[UbuntuHelp:apt:apparmor-profiles|apparmor-profiles]]'', ''[[UbuntuHelp:apt:apparmor-utils|apparmor-utils]]'' and ''[[UbuntuHelp:apt:apparmor|apparmor]]'' packages. Click the links to install, or see [[UbuntuHelp:InstallingSoftware|InstallingSoftware]] for more installation options. | ||
==== Installing the latest version ==== | ==== Installing the latest version ==== | ||
To install the latest apparmor packages on feisty, the packages have to be rebuilt. | To install the latest apparmor packages on feisty, the packages have to be rebuilt. | ||
See [https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/116627 latest apparmor utilities for feisty (LP #116627)]. | See [https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/116627 latest apparmor utilities for feisty (LP #116627)]. | ||
==== Kernel upgrade / apparmor-module-source upgrade ==== | ==== Kernel upgrade / apparmor-module-source upgrade ==== | ||
When a new kernel is installed or when a new version of apparmor-module-source is installed, the apparmor module has to be recompiled : | When a new kernel is installed or when a new version of apparmor-module-source is installed, the apparmor module has to be recompiled : | ||
第43行: | 第37行: | ||
sudo m-a -v -t install apparmor-modules | sudo m-a -v -t install apparmor-modules | ||
</nowiki></pre> | </nowiki></pre> | ||
In order to make sure that all running processes are protected, the system must then be rebooted. | |||
In order to make sure that all running processes are protected, the system | |||
== Usage == | == Usage == | ||
All of the following commands should be executed from a terminal. | |||
All the commands should be executed from a terminal. | |||
=== List the current status of apparmor === | === List the current status of apparmor === | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo apparmor_status | sudo apparmor_status | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Put a profile in complain mode === | === Put a profile in complain mode === | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo aa-complain /path/to/bin | sudo aa-complain /path/to/bin | ||
</nowiki></pre> | </nowiki></pre> | ||
Example: | Example: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo aa-complain /bin/ping | sudo aa-complain /bin/ping | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Put all profiles into complain mode === | === Put all profiles into complain mode === | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo aa-complain /etc/apparmor.d/* | sudo aa-complain /etc/apparmor.d/* | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Put a profile in enforce mode === | === Put a profile in enforce mode === | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo aa-enforce /path/to/bin | sudo aa-enforce /path/to/bin | ||
</nowiki></pre> | </nowiki></pre> | ||
Example: | Example: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo aa-enforce /bin/ping | sudo aa-enforce /bin/ping | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Put all profiles in enforce mode === | === Put all profiles in enforce mode === | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo aa-enforce /etc/apparmor.d/* | sudo aa-enforce /etc/apparmor.d/* | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Put all profiles except for one in enforce mode === | |||
<pre><nowiki> | |||
GLOBIGNORE="*profile.name" | |||
sudo aa-enforce /etc/apparmor.d/* | |||
</nowiki></pre> | |||
Example: | |||
<pre><nowiki> | |||
GLOBIGNORE="*bin.ping" | |||
sudo aa-enforce /etc/apparmor.d/* | |||
</nowiki></pre> | |||
=== Disable AppArmor framework === | === Disable AppArmor framework === | ||
Systems should not generally need to have AppArmor disabled entirely. It is highly recommended that users leave AppArmor enabled and put the problematic profile into complain mode (see above), then file a bug using the procedures found in https://wiki.ubuntu.com/DebuggingApparmor. If AppArmor must be disabled (eg to use [[UbuntuHelp:SELinux|SELinux]] instead), users can: | |||
<pre><nowiki> | <pre><nowiki> | ||
sudo | sudo invoke-rc.d apparmor kill | ||
sudo update-rc.d -f apparmor remove | sudo update-rc.d -f apparmor remove | ||
</nowiki></pre> | </nowiki></pre> | ||
On Ubuntu 8.04 (Hardy), Ubuntu 8.10 (Intrepid) and Ubuntu 9.04 (Jaunty): | |||
<pre><nowiki> | |||
sudo invoke-rc.d apparmor stop | |||
sudo update-rc.d -f apparmor remove | |||
</nowiki></pre> | |||
Using <code><nowiki>kill</nowiki></code> with Ubuntu 8.10 or later gives the following error: | |||
<pre><nowiki> | |||
Killing AppArmor module - failed, AppArmor is builtin: Failed. | |||
</nowiki></pre> | |||
On Ubuntu 9.10 and later, you can either: | |||
* adjust your kernel boot command line (see ```/boot/grub/menul.lst``` for Grub or ```/boot/grub/grub.cfg``` for Grub 2) to include either | |||
** 'apparmor=0' | |||
** 'security=XXX' where XXX can be "" to disable AppArmor or an alternative LSM name, eg. 'security="selinux"' | |||
* remove the ```apparmor``` package with your package manager. Do not 'purge' apparmor if you think you might want to reenable AppArmor at a later date | |||
=== Enable AppArmor framework === | === Enable AppArmor framework === | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo | sudo invoke-rc.d apparmor start | ||
sudo update-rc.d apparmor start 37 S . | sudo update-rc.d apparmor start 37 S . | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Reload all profiles === | === Reload all profiles === | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo | sudo invoke-rc.d apparmor reload | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Reload one profile === | === Reload one profile === | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo apparmor_parser -r /etc/apparmor.d/profile.name | |||
</nowiki></pre> | </nowiki></pre> | ||
Example: | Example: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo apparmor_parser -r /etc/apparmor.d/bin.ping | |||
</nowiki></pre> | </nowiki></pre> | ||
=== Disable one profile === | === Disable one profile === | ||
<pre><nowiki> | <pre><nowiki> | ||
ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/ | sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/ | ||
apparmor_parser -R /etc/apparmor.d/profile.name | sudo apparmor_parser -R /etc/apparmor.d/profile.name | ||
</nowiki></pre> | </nowiki></pre> | ||
Example: | Example: | ||
<pre><nowiki> | <pre><nowiki> | ||
ln -s /etc/apparmor.d/bin.ping /etc/apparmor.d/disable/ | sudo ln -s /etc/apparmor.d/bin.ping /etc/apparmor.d/disable/ | ||
apparmor_parser -R /etc/apparmor.d/bin.ping | sudo apparmor_parser -R /etc/apparmor.d/bin.ping | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Enable one profile === | === Enable one profile === | ||
By default, profiles are enabled (ie loaded into the kernel and applied to processes). | By default, profiles are enabled (ie loaded into the kernel and applied to processes). | ||
<pre><nowiki> | <pre><nowiki> | ||
rm /etc/apparmor.d/disable/profile.name | sudo rm /etc/apparmor.d/disable/profile.name | ||
sudo apparmor_parser -r /etc/apparmor.d/profile.name | |||
</nowiki></pre> | </nowiki></pre> | ||
Example: | Example: | ||
<pre><nowiki> | <pre><nowiki> | ||
rm /etc/apparmor.d/disable/bin.ping | sudo rm /etc/apparmor.d/disable/bin.ping | ||
sudo apparmor_parser -r /etc/apparmor.d/bin.ping | |||
</nowiki></pre> | </nowiki></pre> | ||
== Profile customization == | == Profile customization == | ||
Profiles can found in <code><nowiki>/etc/apparmor.d</nowiki></code>. These are simple text files and can be edited either with a text editor, or by using <code><nowiki>aa-logprof</nowiki></code>. | |||
Profiles can found in <code><nowiki>/etc/apparmor.d</nowiki></code>. | Some customization can be made in <code><nowiki>/etc/apparmor.d/tunables/</nowiki></code>. When updating profiles, it is important to use these when appropriate. For example, rather than using a rule like:<pre><nowiki> | ||
/home/*/ r, | |||
Some customization can be made in <code><nowiki>/etc/apparmor.d/tunables/</nowiki></code> | </nowiki></pre>use:<pre><nowiki> | ||
@{HOME}/ r, | |||
</nowiki></pre> | |||
After updating a profile, be sure to reload it (see above). | |||
=== Set home directories location === | === Set home directories location === | ||
The location of home directories can be tuned in <code><nowiki>/etc/apparmor.d/tunables/home</nowiki></code>. | The location of home directories can be tuned in <code><nowiki>/etc/apparmor.d/tunables/home</nowiki></code>. | ||
== FAQ == | == FAQ == | ||
=== apparmor_status reports processes that are unconfined but have a profile defined === | === apparmor_status reports processes that are unconfined but have a profile defined === | ||
Restart the listed processes. Rebooting will also fix the problem. | Restart the listed processes. Rebooting will also fix the problem. | ||
AppArmor can only track and protect processes that are started after the kernel module has been loaded. After the apparmor packages have been installed, apparmor will be started. But running processes won't be protected by AppArmor. Either restarting the processes or rebooting will fix this. | AppArmor can only track and protect processes that are started after the kernel module has been loaded. After the apparmor packages have been installed, apparmor will be started. But running processes won't be protected by AppArmor. Either restarting the processes or rebooting will fix this. | ||
You can also apply a profile to an already running process by issuing the following command: | You can also apply a profile to an already running process by issuing the following command: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo sh -c "echo 'setprofile /path/to/bin' > /proc/pid/attr/current" | sudo sh -c "echo 'setprofile /path/to/bin' > /proc/pid/attr/current" | ||
</nowiki></pre> | </nowiki></pre> | ||
=== How can I enable AppArmor for Firefox? === | |||
Since Ubuntu 9.10 (Karmic), AppArmor ships with a profile for Firefox which is disabled by default. | |||
You can enable it using the following command: | |||
<pre><nowiki> | |||
sudo aa-enforce /etc/apparmor.d/usr.bin.firefox-3.5 | |||
</nowiki></pre> | |||
<<Anchor(newprofile)>> | |||
== Creating a new profile == | == Creating a new profile == | ||
=== Design a test plan === | === Design a test plan === | ||
Try to think about how the application should be exercised. The test plan should be divided into small test cases. Each test case should have a small description and list the steps to follow. | Try to think about how the application should be exercised. The test plan should be divided into small test cases. Each test case should have a small description and list the steps to follow. | ||
Some standard test cases are : | Some standard test cases are : | ||
* starting the program | * starting the program | ||
第188行: | 第169行: | ||
* reloading the program | * reloading the program | ||
* testing all the command supported by the init script | * testing all the command supported by the init script | ||
In the case of graphical programs, your test cases should also include anything you normally do. Downloading and opening files, saving files, uploading files, using plugins, saving configurations changes, and launching other programs are all possibilities. | |||
=== Generate the new profile === | === Generate the new profile === | ||
Use ''aa-genprof'' to generate a new profile. | Use ''aa-genprof'' to generate a new profile. | ||
From a terminal, use the command ''aa-genprof'': | From a terminal, use the command ''aa-genprof'': | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo aa-genprof executable | sudo aa-genprof executable | ||
</nowiki></pre> | </nowiki></pre> | ||
Example: | Example: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo aa-genprof slapd | sudo aa-genprof slapd | ||
</nowiki></pre> | </nowiki></pre> | ||
The man page has more information: <code><nowiki>man aa-genprof</nowiki></code>. | The man page has more information: <code><nowiki>man aa-genprof</nowiki></code>. | ||
=== Include your new profile in apparmor-profiles package === | === Include your new profile in apparmor-profiles package === | ||
To get your new profile included in the apparmor-profiles package, file a bug in Launchpad against the [https://bugs.launchpad.net/ubuntu/+source/apparmor/+filebug AppArmor package]: | To get your new profile included in the apparmor-profiles package, file a bug in Launchpad against the [https://bugs.launchpad.net/ubuntu/+source/apparmor/+filebug AppArmor package]: | ||
* Include your test plan and testcases. | |||
* Attach your new profile to the bug. | |||
=== Migrating an apparmor-profiles profile to a package === | |||
Please see https://wiki.ubuntu.com/ApparmorProfileMigration | |||
<<Anchor(updateprofile)>> | |||
== Update profiles == | == Update profiles == | ||
When the program is misbehaving, audit messages are sent to the log files. The program ''aa-logprof'' can be used to scan log files for AppArmor audit messages, review them and update the profiles. | When the program is misbehaving, audit messages are sent to the log files. The program ''aa-logprof'' can be used to scan log files for AppArmor audit messages, review them and update the profiles. | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo aa-logprof | sudo aa-logprof | ||
</nowiki></pre> | </nowiki></pre> | ||
The man page has more information : <code><nowiki>man aa-logprof</nowiki></code> | The man page has more information : <code><nowiki>man aa-logprof</nowiki></code> | ||
== Debug AppArmor problems == | |||
When filing bugs against an installed apparmor profile, please see: https://wiki.ubuntu.com/DebuggingApparmor | |||
== Resources == | == Resources == | ||
* [http://en.opensuse.org/AppArmor_Geeks Intro to AppArmor for Geeks] - detailed usage of apparmor. | |||
* [http://en.opensuse.org/AppArmor_Geeks Intro to AppArmor for Geeks] | * [http://outflux.net/blog/archives/2007/04/02/apparmor-now-in-feisty/ AppArmor now in Feisty] - small tutorial about generating a new profile for evince. | ||
* [http://outflux.net/blog/archives/2007/04/02/apparmor-now-in-feisty/ AppArmor now in Feisty] | == External Links == | ||
* [http://bodhizazen.net/aa-profiles/ AppArmor Profile Repository] - Find some sample profiles for some common applications done by members of the Ubuntu community. | |||
---- | ---- | ||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] |
2010年5月19日 (三) 17:28的最新版本
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/AppArmor }} |
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/af | • {{#if: UbuntuHelp:AppArmor|Afrikaans| [[::AppArmor/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/ar | • {{#if: UbuntuHelp:AppArmor|العربية| [[::AppArmor/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/az | • {{#if: UbuntuHelp:AppArmor|azərbaycanca| [[::AppArmor/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/bcc | • {{#if: UbuntuHelp:AppArmor|جهلسری بلوچی| [[::AppArmor/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/bg | • {{#if: UbuntuHelp:AppArmor|български| [[::AppArmor/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/br | • {{#if: UbuntuHelp:AppArmor|brezhoneg| [[::AppArmor/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/ca | • {{#if: UbuntuHelp:AppArmor|català| [[::AppArmor/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/cs | • {{#if: UbuntuHelp:AppArmor|čeština| [[::AppArmor/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/de | • {{#if: UbuntuHelp:AppArmor|Deutsch| [[::AppArmor/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/el | • {{#if: UbuntuHelp:AppArmor|Ελληνικά| [[::AppArmor/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/es | • {{#if: UbuntuHelp:AppArmor|español| [[::AppArmor/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/fa | • {{#if: UbuntuHelp:AppArmor|فارسی| [[::AppArmor/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/fi | • {{#if: UbuntuHelp:AppArmor|suomi| [[::AppArmor/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/fr | • {{#if: UbuntuHelp:AppArmor|français| [[::AppArmor/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/gu | • {{#if: UbuntuHelp:AppArmor|ગુજરાતી| [[::AppArmor/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/he | • {{#if: UbuntuHelp:AppArmor|עברית| [[::AppArmor/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/hu | • {{#if: UbuntuHelp:AppArmor|magyar| [[::AppArmor/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/id | • {{#if: UbuntuHelp:AppArmor|Bahasa Indonesia| [[::AppArmor/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/it | • {{#if: UbuntuHelp:AppArmor|italiano| [[::AppArmor/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/ja | • {{#if: UbuntuHelp:AppArmor|日本語| [[::AppArmor/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/ko | • {{#if: UbuntuHelp:AppArmor|한국어| [[::AppArmor/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/ksh | • {{#if: UbuntuHelp:AppArmor|Ripoarisch| [[::AppArmor/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/mr | • {{#if: UbuntuHelp:AppArmor|मराठी| [[::AppArmor/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/ms | • {{#if: UbuntuHelp:AppArmor|Bahasa Melayu| [[::AppArmor/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/nl | • {{#if: UbuntuHelp:AppArmor|Nederlands| [[::AppArmor/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/no | • {{#if: UbuntuHelp:AppArmor|norsk| [[::AppArmor/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/oc | • {{#if: UbuntuHelp:AppArmor|occitan| [[::AppArmor/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/pl | • {{#if: UbuntuHelp:AppArmor|polski| [[::AppArmor/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/pt | • {{#if: UbuntuHelp:AppArmor|português| [[::AppArmor/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/ro | • {{#if: UbuntuHelp:AppArmor|română| [[::AppArmor/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/ru | • {{#if: UbuntuHelp:AppArmor|русский| [[::AppArmor/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/si | • {{#if: UbuntuHelp:AppArmor|සිංහල| [[::AppArmor/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/sq | • {{#if: UbuntuHelp:AppArmor|shqip| [[::AppArmor/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/sr | • {{#if: UbuntuHelp:AppArmor|српски / srpski| [[::AppArmor/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/sv | • {{#if: UbuntuHelp:AppArmor|svenska| [[::AppArmor/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/th | • {{#if: UbuntuHelp:AppArmor|ไทย| [[::AppArmor/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/tr | • {{#if: UbuntuHelp:AppArmor|Türkçe| [[::AppArmor/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/vi | • {{#if: UbuntuHelp:AppArmor|Tiếng Việt| [[::AppArmor/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/yue | • {{#if: UbuntuHelp:AppArmor|粵語| [[::AppArmor/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/zh | • {{#if: UbuntuHelp:AppArmor|中文| [[::AppArmor/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/zh-hans | • {{#if: UbuntuHelp:AppArmor|中文(简体)| [[::AppArmor/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:AppArmor | UbuntuHelp:AppArmor | {{#if: | :}}AppArmor}}/zh-hant | • {{#if: UbuntuHelp:AppArmor|中文(繁體)| [[::AppArmor/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:AppArmor|:AppArmor|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :AppArmor/zh | | {{#ifexist: AppArmor/zh | | {{#ifeq: {{#titleparts:AppArmor|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:AppArmor|1|-1|}} | zh | | }}
- title AppArmor
Introduction
AppArmor is a Linux Security Module implementation of name-based access controls. AppArmor confines individual programs to a set of listed files and posix 1003.1e draft capabilities. AppArmor was first made available to Ubuntu in Ubuntu 7.04 in Universe. Further information about AppArmor can be found on the AppArmor project's wiki.
Installation
Ubuntu 8.04 (Hardy) and Higher
AppArmor is installed and loaded by default in Hardy. Some packages will install their own enforcing profiles. Additional profiles can be found in the package apparmor-profiles from the Universe repository. When filing bugs against an installed apparmor profile, please see: https://wiki.ubuntu.com/DebuggingApparmor
Install additional AppArmor profiles
- Enable the Universe repository.
- Install apparmor-profiles. Click the link to install, or see InstallingSoftware for more installation options.
Ubuntu 7.10 (Gutsy)
AppArmor is installed and loaded by default in Gutsy. Some packages will install their own profiles. Additional profiles can be found in the package apparmor-profiles from the Universe repository. When filing bugs against an installed apparmor profile, please see: https://wiki.ubuntu.com/DebuggingApparmor
Install additional AppArmor profiles
- Enable the Universe repository.
- Install apparmor-profiles. Click the link to install, or see InstallingSoftware for more installation options.
Ubuntu 7.04 (Feisty)
AppArmor is not included by default in the Feisty kernel. It needs to be compiled manually.
- Enable the Universe repository.
- Install apparmor-modules-source and module-assistant packages. Click the links to install, or see InstallingSoftware for more installation options.
- Compile the apparmor kernel module :
sudo m-a -v -t prepare sudo m-a -v -t -f build apparmor-modules sudo m-a -v -t install apparmor-modules
- Install apparmor-profiles, apparmor-utils and apparmor packages. Click the links to install, or see InstallingSoftware for more installation options.
Installing the latest version
To install the latest apparmor packages on feisty, the packages have to be rebuilt. See latest apparmor utilities for feisty (LP #116627).
Kernel upgrade / apparmor-module-source upgrade
When a new kernel is installed or when a new version of apparmor-module-source is installed, the apparmor module has to be recompiled :
sudo m-a -v -t -f build apparmor-modules sudo m-a -v -t install apparmor-modules
In order to make sure that all running processes are protected, the system must then be rebooted.
Usage
All of the following commands should be executed from a terminal.
List the current status of apparmor
sudo apparmor_status
Put a profile in complain mode
sudo aa-complain /path/to/bin
Example:
sudo aa-complain /bin/ping
Put all profiles into complain mode
sudo aa-complain /etc/apparmor.d/*
Put a profile in enforce mode
sudo aa-enforce /path/to/bin
Example:
sudo aa-enforce /bin/ping
Put all profiles in enforce mode
sudo aa-enforce /etc/apparmor.d/*
Put all profiles except for one in enforce mode
GLOBIGNORE="*profile.name" sudo aa-enforce /etc/apparmor.d/*
Example:
GLOBIGNORE="*bin.ping" sudo aa-enforce /etc/apparmor.d/*
Disable AppArmor framework
Systems should not generally need to have AppArmor disabled entirely. It is highly recommended that users leave AppArmor enabled and put the problematic profile into complain mode (see above), then file a bug using the procedures found in https://wiki.ubuntu.com/DebuggingApparmor. If AppArmor must be disabled (eg to use SELinux instead), users can:
sudo invoke-rc.d apparmor kill sudo update-rc.d -f apparmor remove
On Ubuntu 8.04 (Hardy), Ubuntu 8.10 (Intrepid) and Ubuntu 9.04 (Jaunty):
sudo invoke-rc.d apparmor stop sudo update-rc.d -f apparmor remove
Using kill
with Ubuntu 8.10 or later gives the following error:
Killing AppArmor module - failed, AppArmor is builtin: Failed.
On Ubuntu 9.10 and later, you can either:
- adjust your kernel boot command line (see ```/boot/grub/menul.lst``` for Grub or ```/boot/grub/grub.cfg``` for Grub 2) to include either
- 'apparmor=0'
- 'security=XXX' where XXX can be "" to disable AppArmor or an alternative LSM name, eg. 'security="selinux"'
- remove the ```apparmor``` package with your package manager. Do not 'purge' apparmor if you think you might want to reenable AppArmor at a later date
Enable AppArmor framework
sudo invoke-rc.d apparmor start sudo update-rc.d apparmor start 37 S .
Reload all profiles
sudo invoke-rc.d apparmor reload
Reload one profile
sudo apparmor_parser -r /etc/apparmor.d/profile.name
Example:
sudo apparmor_parser -r /etc/apparmor.d/bin.ping
Disable one profile
sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/ sudo apparmor_parser -R /etc/apparmor.d/profile.name
Example:
sudo ln -s /etc/apparmor.d/bin.ping /etc/apparmor.d/disable/ sudo apparmor_parser -R /etc/apparmor.d/bin.ping
Enable one profile
By default, profiles are enabled (ie loaded into the kernel and applied to processes).
sudo rm /etc/apparmor.d/disable/profile.name sudo apparmor_parser -r /etc/apparmor.d/profile.name
Example:
sudo rm /etc/apparmor.d/disable/bin.ping sudo apparmor_parser -r /etc/apparmor.d/bin.ping
Profile customization
Profiles can found in /etc/apparmor.d
. These are simple text files and can be edited either with a text editor, or by using aa-logprof
.
Some customization can be made in /etc/apparmor.d/tunables/
. When updating profiles, it is important to use these when appropriate. For example, rather than using a rule like:
/home/*/ r,
use:
@{HOME}/ r,
After updating a profile, be sure to reload it (see above).
Set home directories location
The location of home directories can be tuned in /etc/apparmor.d/tunables/home
.
FAQ
apparmor_status reports processes that are unconfined but have a profile defined
Restart the listed processes. Rebooting will also fix the problem. AppArmor can only track and protect processes that are started after the kernel module has been loaded. After the apparmor packages have been installed, apparmor will be started. But running processes won't be protected by AppArmor. Either restarting the processes or rebooting will fix this. You can also apply a profile to an already running process by issuing the following command:
sudo sh -c "echo 'setprofile /path/to/bin' > /proc/pid/attr/current"
How can I enable AppArmor for Firefox?
Since Ubuntu 9.10 (Karmic), AppArmor ships with a profile for Firefox which is disabled by default. You can enable it using the following command:
sudo aa-enforce /etc/apparmor.d/usr.bin.firefox-3.5
<<Anchor(newprofile)>>
Creating a new profile
Design a test plan
Try to think about how the application should be exercised. The test plan should be divided into small test cases. Each test case should have a small description and list the steps to follow. Some standard test cases are :
- starting the program
- stopping the program
- reloading the program
- testing all the command supported by the init script
In the case of graphical programs, your test cases should also include anything you normally do. Downloading and opening files, saving files, uploading files, using plugins, saving configurations changes, and launching other programs are all possibilities.
Generate the new profile
Use aa-genprof to generate a new profile. From a terminal, use the command aa-genprof:
sudo aa-genprof executable
Example:
sudo aa-genprof slapd
The man page has more information: man aa-genprof
.
Include your new profile in apparmor-profiles package
To get your new profile included in the apparmor-profiles package, file a bug in Launchpad against the AppArmor package:
- Include your test plan and testcases.
- Attach your new profile to the bug.
Migrating an apparmor-profiles profile to a package
Please see https://wiki.ubuntu.com/ApparmorProfileMigration <<Anchor(updateprofile)>>
Update profiles
When the program is misbehaving, audit messages are sent to the log files. The program aa-logprof can be used to scan log files for AppArmor audit messages, review them and update the profiles.
sudo aa-logprof
The man page has more information : man aa-logprof
Debug AppArmor problems
When filing bugs against an installed apparmor profile, please see: https://wiki.ubuntu.com/DebuggingApparmor
Resources
- Intro to AppArmor for Geeks - detailed usage of apparmor.
- AppArmor now in Feisty - small tutorial about generating a new profile for evince.
External Links
- AppArmor Profile Repository - Find some sample profiles for some common applications done by members of the Ubuntu community.