Novell APPARMOR 2.1 ADMINISTRATION GUIDE

Novell AppArmor (2.1) Quick Start

This document helps you understand the main concepts behind Novell® AppArmor—the content of AppArmor proles. Learn how to create or modify AppArmor proles. You can create and manage AppArmor proles in three different ways. The most convenient interface to AppArmor is provided by means of the AppArmor YaST modules which can be used either in graphical or ncurses mode. The same functionality is provided by the AppArmor command line tools or if you just edit the proles in a text editor.

AppArmor Modes

complain/learning

In complain or learning mode, violations of AppArmor prole rules, such as the proled program accessing les not permitted by the prole, are detected. The violations are permitted, but also logged. This mode is convenient for developing proles and is used by the AppArmor tools for generating proles.

enforce

Loading a prole in enforcement mode enforces the policy dened in the prole as well as reports policy violation attempts to syslogd.

Starting and Stopping AppArmor

Use the rcapparmor command with one of the following parameters:

start

Load the kernel module, mount securityfs, parse and load proles. Proles and connement are applied to any application started after this command was executed. Processes already running at the time AppArmor is started continue to run unconned.

stop

Unmount securityfs, and invalidate proles.

reload

Reload proles.

NOVELL® QUICK START CARD

status

If AppArmor is enabled, output how many proles are loaded in complain or enforce mode.

Use the rcaaeventd command to control event logging with aa-eventd. Use the start and stop options to toggle the status of the aa-eventd and check its status using the status.

AppArmor Command Line Tools

autodep

Guess basic AppArmor prole requirements. autodep creates a stub prole for the program or application examined. The resulting prole is called “approximate” because it does not necessarily contain all of the prole entries that the program needs to be conned properly.

complain

Set an AppArmor prole to complain mode.

Manually activating complain mode (using the command line) adds a ag to the top of the prole so that /bin/foo becomes /bin/foo flags=(complain).

enforce

Set an AppArmor prole to enforce mode from complain mode.

Manually activiating enforce mode (using the command line) removes mode ags from the top of the prole /bin/foo flags=(complain) becomes /bin/foo.

genprof

Generate or update a prole. When running, you must specify a program to prole. If the specied program is not an absolute path, genprof searches the $PATH variable. If a prole does not exist, genprof creates one using autodep.

logprof

Manage AppArmor proles. logprof is an interactive tool used to review the learning or complain mode output found in the AppArmor syslog entries and to generate new entries in AppArmor proles.

unconned

Output a list of processes with open tcp or udp ports that do not have AppArmor proles loaded.

Methods of Proling

Stand-Alone Proling

Using genprof. Suitable for proling small applications.

Systemic Proling

Suitable for proling large numbers of programs all at once and for proling applications that may run “forever.”

To apply systemic proling, proceed as follows:

1. Create proles for the individual programs that make up your application (autodep).

2. Put relevant proles into learning or complain mode.

3. Exercise your application.

4. Analyze the log (logprof).

5. Repeat Steps 3-4.

6. Edit the proles.

7. Return to enforce mode.

8. Reload all proles (rcapparmor restart).

Learning Mode

When using genprof, logprof, or YaST in learning mode, you get several options for how to proceed:

Allow

Grant access.

Deny

Prevent access.

Glob

Modify the directory path to include all les in the suggested directory.

Glob w/Ext

Modify the original directory path while retaining the lename extension. This allows the program to access all les in the suggested directories that end with the specied extension.

Edit

Enable editing of the highlighted line. The new (edited) line appears at the bottom of the list. This option is called New in the logprof and genprof command line tools.

Abort

Abort logprof or YaST, losing all rule changes entered so far and leaving all proles unmodied.

Finish

Close logprof or YaST, saving all rule changes entered so far and modifying all proles.

Example Prole

# a variable definition @{HOME} = /home/*/ /root/

# a comment about foo. /usr/bin/foo { network inet tcp, /bin/mount ux, /dev/{,u}random r, /etc/ld.so.cache r, /etc/foo.conf r, /etc/foo/* r, /lib/ld-*.so* mr, /lib/lib*.so* mr, /proc/[0-9]** r, /usr/lib/** mr, /tmp/ r, /tmp/foo.pid wr, /tmp/foo.* lrw, /@{HOME}/.foo_file rw, /@{HOME}/.foo_lock kw,

# a comment about foo's subprofile, bar. ^bar { /lib/ld-*.so* mr, /usr/bin/bar px, /var/spool/* rwl, } }

Structure of a Prole

Proles are simple text les in the /etc/apparmor.d directory. They consist of several parts: #include, capability entries, rules, and “hats.”

#include

This is the section of an AppArmor prole that refers to an include le, which mediates access permissions for programs. By using an include, you can give the program access to directory paths or les that are also required by other programs. Using includes can reduce the size of a prole. It is good practice to select includes when suggested.

To assist you in proling your applications, AppArmor provides three classes of #includes: abstractions, program chunks, and variables.

Abstractions are #includes that are grouped by common application tasks. These tasks include access to authentication mechanisms, access to name service routines, common graphics requirements, and system accounting, for example, base, consoles, kerberosclient, perl, user-mail, user-tmp, authentication, bash, nameservice.

Program chunks are access controls for specic programs that a system administrator might want to control based on local site policy. Each chunk is used by a single program.

Using variables, you can design your proles to be portable to different environments. Changes in the variable's content are just made in the variable denition while the prole containing the variable can remain untouched.

Capability Entries (POSIX.1e)

Capabilities statements are simply the word “capability” followed by the name of the POSIX.1e capability as dened in the capabilities(7) man page.

Rules: General Options for Files and Directories

FileOption

rread

wwrite

llink

kle locking

ale append (mutually exclusive to w)

DescriptionFileOption

UxUncon-

strained

mAllow Executable Mapping

Executes the program without a prole. Avoid running programs in unconstrained or unconned mode for security reasons. This mode makes use of environment scrubbing.

allow PROT_EXEC with mmap(2) calls

WARNING: Running in ux Mode

Avoid running programs in ux mode as much as possible. A program running in ux mode is not only totally unprotected by AppArmor, but child processes inherit certain environment variables from the parent that might inuence the child's execution behavior and create possible security risks.

For more information about the different le execute modes, refer to the apparmor.d(5) man page. For more information about setgid and setuid environment scrubbing, refer to the ld.so(8) man page.

Network Access Control

AppArmor provides network access mediation based on network domain and type:

/bin/ping { network inet dgram, network inet raw, ... }

Rules: Dening Execute Permissions

For executables that may be called from the conned programs, the prole creating tools ask you for an appropriate mode, which is also reected directly in the prole itself:

DescriptionFileOption

Stay in the same (parent's) prole.ixInherit

pxProle

PxProle

uxUncon-

strained

Requires that a separate prole exists for the executed program. No environment scrubbing.

Requires that a separate prole exists for the executed program. Uses environment scrubbing.

Executes the program without a prole. Avoid running programs in unconstrained or unconned mode for security reasons. No environment scrubbing.

The example would allow IPv4 network access of the datagram and raw type for the ping command. For details on the network rule syntax, refer to the Novell AppArmor Ad- ministration Guide.

Rules: Paths and Globbing

AppArmor supports explicit handling of directories. Use a trailing / for any directory path that needs to be explicitly distinguished:

/some/random/example/* r

Allow read access to les in the /some/random/ example directory.

/some/random/example/ r

Allow read access to the directory only.

/some/**/ r

Give read access to any directories below /some.

/some/random/example/** r

Give read access to les and directories under /some/ random/example.

+ 4 hidden pages