特殊:Badtitle/NS100:AppArmor

来自Ubuntu中文
Wikibot留言 | 贡献2007年11月30日 (五) 16:05的版本
跳到导航跳到搜索

{{#ifexist: :AppArmor/zh | | {{#ifexist: AppArmor/zh | | {{#ifeq: {{#titleparts:AppArmor|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:AppArmor|1|-1|}} | zh | | }}

Introduction

AppArmor is a Linux Security Module implementation of name-based access controls. AppArmor confines individual programs to a set of listed files and posix 1003.1e draft capabilities. AppArmor was first made available to Ubuntu in Ubuntu 7.04 in Universe.

Installation

Ubuntu 7.10 (Gutsy)

AppArmor is installed and loaded by default in Gutsy. Some packages will install their own profiles. Additional profiles can found in the package apparmor-profiles from the Universe repository.

Install additional AppArmor profiles

  • Enable the Universe repository.
  • Install apparmor-profiles. See InstallingSoftware.

Ubuntu 7.04 (Feisty)

AppArmor is not included by default in the Feisty kernel. It needs to be compiled manually.

  • Enable the Universe repository.
  • Install apparmor-modules-source and module-assistant packages. See InstallingSoftware.
  • Compile the apparmor kernel module :
sudo m-a -v -t prepare
sudo m-a -v -t -f build apparmor-modules
sudo m-a -v -t install apparmor-modules
  • Install apparmor-profiles, apparmor-utils and apparmor packages. See InstallingSoftware.

Installing the latest version

To install the latest apparmor packages on feisty, the packages have to be rebuilt. See latest apparmor utilities for feisty (LP #116627).

Kernel upgrade / apparmor-module-source upgrade

When a new kernel is installed or when a new version of apparmor-module-source is installed, the apparmor module has to be recompiled :

sudo m-a -v -t -f build apparmor-modules
sudo m-a -v -t install apparmor-modules

In order to make sure that all running processes are protected, the system has then to be rebooted.

Usage

All the commands should be executed from a terminal.

List the current status of apparmor

sudo apparmor_status

Put a profile in complain mode

sudo aa-complain /path/to/bin

Example:

sudo aa-complain /bin/ping

Put all profiles into complain mode

sudo aa-complain /etc/apparmor.d/*

Put a profile in enforce mode

sudo aa-enforce /path/to/bin

Example:

sudo aa-enforce /bin/ping

Put all profiles in enforce mode

sudo aa-enforce /etc/apparmor.d/*

Disable AppArmor framework

sudo /etc/init.d/apparmor kill
sudo update-rc.d -f apparmor remove

Enable AppArmor framework

sudo /etc/init.d/apparmor start
sudo update-rc.d apparmor start 37 S .

Reload all profiles

sudo /etc/init.d/apparmor reload

Reload one profile

cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r

Example:

cat /etc/apparmor.d/bin.ping | sudo apparmor_parser -r

Disable one profile

ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/
apparmor_parser -R /etc/apparmor.d/profile.name

Example:

ln -s /etc/apparmor.d/bin.ping /etc/apparmor.d/disable/
apparmor_parser -R /etc/apparmor.d/bin.ping

Enable one profile

By default, profiles are enabled (ie loaded into the kernel and applied to processes).

rm /etc/apparmor.d/disable/profile.name
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a

Example:

rm /etc/apparmor.d/disable/bin.ping
cat /etc/apparmor.d/bin.ping | sudo apparmor_parser -a

Profile customization

Profiles can found in /etc/apparmor.d. Some customization can be made in /etc/apparmor.d/tunables/

Set home directories location

The location of home directories can be tuned in /etc/apparmor.d/tunables/home.

FAQ

apparmor_status reports processes that are unconfined but have a profile defined

Restart the listed processes. Rebooting will also fix the problem. AppArmor can only track and protect processes that are started after the kernel module has been loaded. After the apparmor packages have been installed, apparmor will be started. But running processes won't be protected by AppArmor. Either restarting the processes or rebooting will fix this. You can also apply a profile to an already running process by issuing the following command:

sudo sh -c "echo 'setprofile /path/to/bin' > /proc/pid/attr/current"

Anchor(newprofile)

Creating a new profile

Design a test plan

Try to think about how the application should be exercised. The test plan should be divided into small test cases. Each test case should have a small description and list the steps to follow. Some standard test cases are :

  • starting the program
  • stopping the program
  • reloading the program
  • testing all the command supported by the init script

Generate the new profile

Use aa-genprof to generate a new profile. From a terminal, use the command aa-genprof:

sudo aa-genprof executable

Example:

sudo aa-genprof slapd

The man page has more information: man aa-genprof.

Include your new profile in apparmor-profiles package

To get your new profile included in the apparmor-profiles package, file a bug in Launchpad against the AppArmor package:

  • Include your test plan and testcases.
  • Attach your new profile to the bug.

Anchor(updateprofile)

Update profiles

When the program is misbehaving, audit messages are sent to the log files. The program aa-logprof can be used to scan log files for AppArmor audit messages, review them and update the profiles.

sudo aa-logprof

The man page has more information : man aa-logprof

Resources