AppArmor (Bosanski)

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

AppArmor je Mandatory Access Control (MAC) sistem, implementiran nad Linux Security Modules (LSM).

AppArmor, kao i vecina drugih LSMs, potpomaze umjesto da u potpunosti zamjenjuje defaultni Discretionary Access Control (DAC). Kao takav, nemoguce je dodijeliti procesu vise privilegija nego sto je imao na pocetku.

Ubuntu, SUSE i broj drugih distribucija ga koriste po defaultu. RHEL (i njegove varijante) koriste SELinux koji zahtjeva dobru integraciju sa userspace da bi radio ispravno. SELinux dodaje labele svim fajlovima, procesima i objektima i kao takav je veoma fleksibilan. Medjutim, konfigurisanje SELinux se smatra komplikovanom i zahtjeva filesystem koji podrzava SELinux. AppArmor s druge strane radi sa putanjama fajlova i njegova konfiguracija se moze lako usvojiti.

AppArmor proaktivno stiti operativni sistem i aplikacija od eksternih i internih prijetnji cak i od zero-day napada forsiranjem specificnih pravila na nivou aplikacija. Sigurnosne police u potpunosti definiraju kojim sistemskim resursima aplikacije mogu da pristupe i sa kojim privilegijama. Pristup je odbijen po defaultu ako profil ne kaze drukcije. Nekoliko defaultnih polica su ukljucene u AppArmor i koristeci kombinaciju napredne staticke analize i learning-based alata, AppArmor police cak i za kompleksne aplikacije mogu biti deployane uspjesno u nekoliko sati.

Svaki breach police trigeruje poruku u sistemskom logu i AppArmor moze biti konfigurisan da obavijesti korisnike u real-time violation upozorenjima koji iskacu na desktopu.

Instalacija

AppArmor je dostupan u svim oficijalno podržanim kernelima.

Da ukljucite AppArmor kao defaultni sigurnosni model prilikom svakog bootanja, podesite sljedece kernel parametre:

apparmor=1 lsm=lockdown,yama,apparmor

Note: lsm= kernel parametar podesava raspored inicijalizacije Linux security modula. Vrijednost lsm= konfigurisana od strane kernela moze se pronaci sa zgrep CONFIG_LSM= /proc/config.gz i trenutna vrijednost sa cat /sys/kernel/security/lsm.

Pobrinite se da je apparmor prvi "major" modul u listi.[1] Primjeri validnih vrijednosti i njihov raspored mogu se pronaci na security/Kconfig.
capability se moze izostaviti iz lsm= jer ce uvijek biti ukljuceno automatski.

Instalirajte apparmor za userspace alate i libraries za kontrolu AppArmora. Da loadate sve AppArmor profile pri startanju, enableajte apparmor.service.

Custom kernel

When compiling the kernel, it is required to set at least the following options:

CONFIG_SECURITY_APPARMOR=y
CONFIG_AUDIT=y

To use AppArmor as the default Linux security model and omitting the need of setting kernel parameters, also set the following options:

CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
CONFIG_DEFAULT_SECURITY_APPARMOR=y

Usage

Display current status

To test if AppArmor has been correctly enabled:

$ aa-enabled

Yes

To display the current loaded status use aa-status(8):

# aa-status

apparmor module is loaded.
44 profiles are loaded.
44 profiles are in enforce mode.
 ...
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Parsing profiles

To load (enforce or complain), unload, reload, cache and stat profiles use apparmor_parser. The default action (-a) is to load a new profile in enforce mode, loading it in complain mode is possible using the -C switch, in order to overwrite an existing profile use the -r option and to remove a profile use -R. Each action may also apply to multiple profiles. Refer to apparmor_parser(8) man page for more information.

Disabling loading

Disable AppArmor by unloading all profiles for the current session:

# aa-teardown

To prevent from loading AppArmor profiles at the next boot disable apparmor.service. To prevent the kernel from loading AppArmor, remove apparmor=1 security=apparmor from the kernel parameters.

Configuration

Auditing and generating profiles

To create new profiles the Audit framework should be running. This is because Arch Linux adopted systemd and does not do kernel logging to file by default. AppArmor can grab kernel audit logs from the userspace auditd daemon, allowing you to build a profile.

New AppArmor profiles can be created by utilizing aa-genprof(8) and aa-logprof(8) tools available in apparmor package. Detailed guide about using those tools is available at AppArmor wiki - Profiling with tools.

Alternatively profiles may be also created manually, see guide available at AppArmor wiki - Profiling by hand.

Understanding profiles

Profiles are human readable text files residing under /etc/apparmor.d/ describing how binaries should be treated when executed. A basic profile looks similar to this:

/etc/apparmor.d/usr.bin.test

#include <tunables/global>

profile test /usr/lib/test/test_binary {
    #include <abstractions/base>

    # Main libraries and plugins
    /usr/share/TEST/** r,
    /usr/lib/TEST/** rm,

    # Configuration files and logs
    @{HOME}/.config/ r,
    @{HOME}/.config/TEST/** rw,
}

Strings preceded by a @ symbol are variables defined by abstractions (/etc/apparmor.d/abstractions/), tunables (/etc/apparmor.d/tunables/) or by the profile itself. #include includes other profile-files directly. Paths followed by a set of characters are access permissions. Pattern matching is done using AppArmor's globbing syntax.

Most common use cases are covered by the following statements:

r — read: read data
w — write: create, delete, write to a file and extend it
m — memory map executable: memory map a file executable
x — execute: execute file; needs to be preceded by a qualifier

Remember that those permission do not allow binaries to exceed the permission dictated by the Discretionary Access Control (DAC).

This is merely a short overview, for a more detailed guide be sure to have a look at the apparmor.d(5) man page and documentation.

Tips and tricks

Get desktop notification on DENIED actions

The notification daemon displays desktop notifications whenever AppArmor denies a program access. To automatically start aa-notify daemon on login follow below steps:

Install and enable Audit framework. Allow your desktop user to read audit logs in /var/log/audit by adding it to audit user group:

# groupadd -r audit
# gpasswd -a <username> audit

Add audit group to auditd.conf:

/etc/audit/auditd.conf

log_group = audit

Tip: You may use other already existing system groups like wheel or adm.

Create desktop launcher with the below content:

~/.config/autostart/apparmor-notify.desktop

[Desktop Entry]
Type=Application
Name=AppArmor Notify
Comment=Receive on screen notifications of AppArmor denials
TryExec=aa-notify
Exec=aa-notify -p -s 1 -w 60 -f /var/log/audit/audit.log
StartupNotify=false
NoDisplay=true

Reboot and check if aa-notify daemon is running:

$ pgrep -ax aa-notify

Note: Depending on your specific system configuration there could be A LOT of notifications displayed.

For more information, see aa-notify(8).

Speed-up AppArmor start by caching profiles

Since AppArmor has to translate the configured profiles into a binary format it may significantly increase the boot time. You can check current AppArmor startup time with:

$ systemd-analyze blame | grep apparmor

To enable caching AppArmor profiles, uncomment:

/etc/apparmor/parser.conf

## Turn creating/updating of the cache on by default
write-cache

To change default cache location add:

/etc/apparmor/parser.conf

cache-loc=/path/to/location

Note: Since 2.13.1 default cache location is /var/cache/apparmor/, previously it was /etc/apparmor.d/cache.d/.

Reboot and check AppArmor startup time again to see improvement:

$ systemd-analyze blame | grep apparmor

Troubleshooting

Failing to start Samba SMB/CIFS server

See Samba#Permission issues on AppArmor.