“UbuntuHelp:AppArmor”的版本间的差异

2007年11月30日 (五) 16:05的版本

文章出处:

https://help.ubuntu.com/community/AppArmor

点击翻译:

English

请不要直接编辑翻译本页，本页将定期与来源同步。

1 Introduction
2 Installation
- 2.1 Ubuntu 7.10 (Gutsy)
  - 2.1.1 Install additional AppArmor profiles
- 2.2 Ubuntu 7.04 (Feisty)
  - 2.2.1 Installing the latest version
  - 2.2.2 Kernel upgrade / apparmor-module-source upgrade
3 Usage
4 Profile customization
- 4.1 Set home directories location
5 FAQ
- 5.1 apparmor_status reports processes that are unconfined but have a profile defined
6 Creating a new profile
7 Update profiles
8 Resources

Introduction

AppArmor is a Linux Security Module implementation of name-based access controls. AppArmor confines individual programs to a set of listed files and posix 1003.1e draft capabilities. AppArmor was first made available to Ubuntu in Ubuntu 7.04 in Universe.

Installation

Ubuntu 7.10 (Gutsy)

AppArmor is installed and loaded by default in Gutsy. Some packages will install their own profiles. Additional profiles can found in the package apparmor-profiles from the Universe repository.

Install additional AppArmor profiles

Enable the Universe repository.
Install apparmor-profiles. See InstallingSoftware.

Ubuntu 7.04 (Feisty)

AppArmor is not included by default in the Feisty kernel. It needs to be compiled manually.

Enable the Universe repository.
Install apparmor-modules-source and module-assistant packages. See InstallingSoftware.
Compile the apparmor kernel module :

sudo m-a -v -t prepare
sudo m-a -v -t -f build apparmor-modules
sudo m-a -v -t install apparmor-modules

Install apparmor-profiles, apparmor-utils and apparmor packages. See InstallingSoftware.

Installing the latest version

To install the latest apparmor packages on feisty, the packages have to be rebuilt. See latest apparmor utilities for feisty (LP #116627).

Kernel upgrade / apparmor-module-source upgrade

When a new kernel is installed or when a new version of apparmor-module-source is installed, the apparmor module has to be recompiled :

sudo m-a -v -t -f build apparmor-modules
sudo m-a -v -t install apparmor-modules

In order to make sure that all running processes are protected, the system has then to be rebooted.

Usage

All the commands should be executed from a terminal.

List the current status of apparmor

sudo apparmor_status

Put a profile in complain mode

sudo aa-complain /path/to/bin

Example:

sudo aa-complain /bin/ping

Put all profiles into complain mode

sudo aa-complain /etc/apparmor.d/*

Put a profile in enforce mode

sudo aa-enforce /path/to/bin

Example:

sudo aa-enforce /bin/ping

Put all profiles in enforce mode

sudo aa-enforce /etc/apparmor.d/*

Disable AppArmor framework

sudo /etc/init.d/apparmor kill
sudo update-rc.d -f apparmor remove

Enable AppArmor framework

sudo /etc/init.d/apparmor start
sudo update-rc.d apparmor start 37 S .

Reload all profiles

sudo /etc/init.d/apparmor reload

Reload one profile

cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r

Example:

cat /etc/apparmor.d/bin.ping | sudo apparmor_parser -r

Disable one profile

ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/
apparmor_parser -R /etc/apparmor.d/profile.name

Example:

ln -s /etc/apparmor.d/bin.ping /etc/apparmor.d/disable/
apparmor_parser -R /etc/apparmor.d/bin.ping

Enable one profile

By default, profiles are enabled (ie loaded into the kernel and applied to processes).

rm /etc/apparmor.d/disable/profile.name
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a

Example:

rm /etc/apparmor.d/disable/bin.ping
cat /etc/apparmor.d/bin.ping | sudo apparmor_parser -a

Profile customization

Profiles can found in /etc/apparmor.d. Some customization can be made in /etc/apparmor.d/tunables/

Set home directories location

The location of home directories can be tuned in /etc/apparmor.d/tunables/home.

FAQ

apparmor_status reports processes that are unconfined but have a profile defined

Restart the listed processes. Rebooting will also fix the problem. AppArmor can only track and protect processes that are started after the kernel module has been loaded. After the apparmor packages have been installed, apparmor will be started. But running processes won't be protected by AppArmor. Either restarting the processes or rebooting will fix this. You can also apply a profile to an already running process by issuing the following command:

sudo sh -c "echo 'setprofile /path/to/bin' > /proc/pid/attr/current"

Anchor(newprofile)

Creating a new profile

Design a test plan

Try to think about how the application should be exercised. The test plan should be divided into small test cases. Each test case should have a small description and list the steps to follow. Some standard test cases are :

starting the program
stopping the program
reloading the program
testing all the command supported by the init script

Generate the new profile

Use aa-genprof to generate a new profile. From a terminal, use the command aa-genprof:

sudo aa-genprof executable

Example:

sudo aa-genprof slapd

The man page has more information: man aa-genprof.

Include your new profile in apparmor-profiles package

To get your new profile included in the apparmor-profiles package, file a bug in Launchpad against the AppArmor package:

Include your test plan and testcases.
Attach your new profile to the bug.

Anchor(updateprofile)

Update profiles

When the program is misbehaving, audit messages are sent to the log files. The program aa-logprof can be used to scan log files for AppArmor audit messages, review them and update the profiles.

sudo aa-logprof

The man page has more information : man aa-logprof

Resources

Intro to AppArmor for Geeks : detailed usage of apparmor.
AppArmor now in Feisty : small tutorial about generating a new profile for evince.

个人工具

“UbuntuHelp:AppArmor”的版本间的差异 - Ubuntu中文

搜索

导航

编辑

工具

“UbuntuHelp:AppArmor”的版本间的差异

来自Ubuntu中文

2007年11月30日 (五) 16:05的版本

目录

Introduction

Installation

Ubuntu 7.10 (Gutsy)

Install additional AppArmor profiles

Ubuntu 7.04 (Feisty)

Installing the latest version

Kernel upgrade / apparmor-module-source upgrade

Usage

List the current status of apparmor

Put a profile in complain mode

Put all profiles into complain mode

Put a profile in enforce mode

Put all profiles in enforce mode

Disable AppArmor framework

Enable AppArmor framework

Reload all profiles

Reload one profile

Disable one profile

Enable one profile

Profile customization

Set home directories location

FAQ

apparmor_status reports processes that are unconfined but have a profile defined

Creating a new profile

Design a test plan

Generate the new profile

Include your new profile in apparmor-profiles package

Update profiles

Resources

@@ 第1行： / 第1行： @@
 {{From|https://help.ubuntu.com/community/AppArmor}}
 {{Languages|UbuntuHelp:AppArmor}}
 == Introduction ==
 AppArmor is a Linux Security Module implementation of name-based access controls. AppArmor confines individual programs to a set of listed files and posix 1003.1e draft capabilities.
 AppArmor was first made available to Ubuntu in Ubuntu 7.04 in Universe.
 == Installation ==
 === Ubuntu 7.10 (Gutsy) ===
 AppArmor is installed and loaded by default in Gutsy. Some packages will install their own profiles. Additional profiles can found in the package ''apparmor-profiles'' from the Universe repository.
 ==== Install additional AppArmor profiles ====
 * Enable the Universe repository.
 * Install ''apparmor-profiles''. See InstallingSoftware.
 === Ubuntu 7.04 (Feisty) ===
 AppArmor is not included by default in the Feisty kernel. It needs to be compiled manually.
 * Enable the Universe repository.
 * Install ''apparmor-modules-source'' and ''module-assistant'' packages. See InstallingSoftware.
@@ 第32行： / 第21行： @@
 </nowiki></pre>
 * Install ''apparmor-profiles'', ''apparmor-utils'' and ''apparmor'' packages. See InstallingSoftware.
 ==== Installing the latest version ====
 To install the latest apparmor packages on feisty, the packages have to be rebuilt.
 See [https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/116627 latest apparmor utilities for feisty (LP #116627)].
 ==== Kernel upgrade / apparmor-module-source upgrade ====
 When a new kernel is installed or when a new version of apparmor-module-source is installed, the apparmor module has to be recompiled :
@@ 第43行： / 第30行： @@
 sudo m-a -v -t install apparmor-modules
 </nowiki></pre>
 In order to make sure that all running processes are protected, the system has then to be rebooted.
 == Usage ==
 All the commands should be executed from a terminal.
 === List the current status of apparmor ===
 <pre><nowiki>
 sudo apparmor_status
 </nowiki></pre>
 === Put a profile in complain mode ===
 <pre><nowiki>
 sudo aa-complain /path/to/bin
 </nowiki></pre>
 Example:
 <pre><nowiki>
 sudo aa-complain /bin/ping
 </nowiki></pre>
 === Put all profiles into complain mode ===
 <pre><nowiki>
 sudo aa-complain /etc/apparmor.d/*
 </nowiki></pre>
 === Put a profile in enforce mode ===
 <pre><nowiki>
 sudo aa-enforce /path/to/bin
 </nowiki></pre>
 Example:
 <pre><nowiki>
 sudo aa-enforce /bin/ping
 </nowiki></pre>
 === Put all profiles in enforce mode ===
 <pre><nowiki>
 sudo aa-enforce /etc/apparmor.d/*
 </nowiki></pre>
 === Disable AppArmor framework ===
 <pre><nowiki>
 sudo /etc/init.d/apparmor kill
 sudo update-rc.d -f apparmor remove
 </nowiki></pre>
 === Enable AppArmor framework ===
 <pre><nowiki>
 sudo /etc/init.d/apparmor start
 sudo update-rc.d apparmor start 37 S .
 </nowiki></pre>
 === Reload all profiles ===
 <pre><nowiki>
 sudo /etc/init.d/apparmor reload
 </nowiki></pre>
 === Reload one profile ===
 <pre><nowiki>
 cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r
 </nowiki></pre>
 Example:
 <pre><nowiki>
 cat /etc/apparmor.d/bin.ping | sudo apparmor_parser -r
 </nowiki></pre>
 === Disable one profile ===
 <pre><nowiki>
 ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/
 apparmor_parser -R /etc/apparmor.d/profile.name
 </nowiki></pre>
 Example:
 <pre><nowiki>
 ln -s /etc/apparmor.d/bin.ping /etc/apparmor.d/disable/
 apparmor_parser -R /etc/apparmor.d/bin.ping
 </nowiki></pre>
 === Enable one profile ===
 By default, profiles are enabled (ie loaded into the kernel and applied to processes).
 <pre><nowiki>
 rm /etc/apparmor.d/disable/profile.name
 cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
 </nowiki></pre>
 Example:
 <pre><nowiki>
 rm /etc/apparmor.d/disable/bin.ping
 cat /etc/apparmor.d/bin.ping | sudo apparmor_parser -a
 </nowiki></pre>
 == Profile customization ==
 Profiles can found in <code><nowiki>/etc/apparmor.d</nowiki></code>.
 Some customization can be made in <code><nowiki>/etc/apparmor.d/tunables/</nowiki></code>
 === Set home directories location ===
 The location of home directories can be tuned in <code><nowiki>/etc/apparmor.d/tunables/home</nowiki></code>.
 == FAQ ==
 === apparmor_status reports processes that are unconfined but have a profile defined ===
 Restart the listed processes. Rebooting will also fix the problem.
 AppArmor can only track and protect processes that are started after the kernel module has been loaded. After the apparmor packages have been installed, apparmor will be started. But running processes won't be protected by AppArmor. Either restarting the processes or rebooting will fix this.
 You can also apply a profile to an already running process by issuing the following command:
 <pre><nowiki>
 sudo sh -c "echo 'setprofile /path/to/bin' > /proc/pid/attr/current"
 </nowiki></pre>
 [[Anchor(newprofile)]]
 == Creating a new profile ==
 === Design a test plan ===
 Try to think about how the application should be exercised. The test plan should be divided into small test cases. Each test case should have a small description and list the steps to follow.
 Some standard test cases are :
 * starting the program
@@ 第188行： / 第126行： @@
 * reloading the program
 * testing all the command supported by the init script
 === Generate the new profile ===
 Use ''aa-genprof'' to generate a new profile.
 From a terminal, use the command ''aa-genprof'':
 <pre><nowiki>
 sudo aa-genprof executable
 </nowiki></pre>
 Example:
 <pre><nowiki>
 sudo aa-genprof slapd
 </nowiki></pre>
 The man page has more information: <code><nowiki>man aa-genprof</nowiki></code>.
 === Include your new profile in apparmor-profiles package ===
 To get your new profile included in the apparmor-profiles package, file a bug in Launchpad against the [https://bugs.launchpad.net/ubuntu/+source/apparmor/+filebug AppArmor package]:
-** Include your test plan and testcases.
+* Include your test plan and testcases.
-** Attach your new profile to the bug.
+* Attach your new profile to the bug.
 [[Anchor(updateprofile)]]
 == Update profiles ==
 When the program is misbehaving, audit messages are sent to the log files. The program ''aa-logprof'' can be used to scan log files for AppArmor audit messages, review them and update the profiles.
 <pre><nowiki>
 sudo aa-logprof
 </nowiki></pre>
 The man page has more information : <code><nowiki>man aa-logprof</nowiki></code>
 == Resources ==
 * [http://en.opensuse.org/AppArmor_Geeks Intro to AppArmor for Geeks] : detailed usage of apparmor.
 * [http://outflux.net/blog/archives/2007/04/02/apparmor-now-in-feisty/ AppArmor now in Feisty] : small tutorial about generating a new profile for evince.
 ----
 [[category:CategoryDocumentation]]
 [[category:UbuntuHelp]]

	隐私政策关于Ubuntu中文免责声明
	Mozilla Cavendish Theme based on Cavendish style by Gabriel Wicke modified by DaSch for the Web Community Wiki github Projectpage – Report Bug – Skin-Version: 2.3.4