This document helps you understand the main concepts behind Novell® AppArmor—the content of AppArmor
proles. Learn how to create or modify AppArmor proles. You can create and manage AppArmor proles in
three different ways. The most convenient interface to AppArmor is provided by means of the AppArmor YaST
modules which can be used either in graphical or ncurses mode. The same functionality is provided by the
AppArmor command line tools or if you just edit the proles in a text editor.
AppArmor Modes
complain/learning
In complain or learning mode, violations of AppArmor
prole rules, such as the proled program accessing les
not permitted by the prole, are detected. The violations
are permitted, but also logged. This mode is convenient
for developing proles and is used by the AppArmor
tools for generating proles.
enforce
Loading a prole in enforcement mode enforces the
policy dened in the prole as well as reports policy violation attempts to syslogd.
Starting and Stopping AppArmor
Use the rcapparmor command with one of the following
parameters:
start
Load the kernel module, mount securityfs, parse and
load proles. Proles and connement are applied to
any application started after this command was executed.
Processes already running at the time AppArmor is
started continue to run unconned.
stop
Unmount securityfs, and invalidate proles.
reload
Reload proles.
status
If AppArmor is enabled, output how many proles are
loaded in complain or enforce mode.
Use the rcaaeventd command to control event logging
with aa-eventd. Use the start and stop options to toggle
the status of the aa-eventd and check its status using the
status.
AppArmor Command Line Tools
autodep
Guess basic AppArmor prole requirements. autodep
creates a stub prole for the program or application
examined. The resulting prole is called “approximate”
because it does not necessarily contain all of the prole
entries that the program needs to be conned properly.
complain
Set an AppArmor prole to complain mode.
Manually activating complain mode (using the command
line) adds a ag to the top of the prole so that
/bin/foo becomes /bin/foo flags=(complain).
enforce
Set an AppArmor prole to enforce mode from complain
mode.
Novell AppArmor (2.3.1) Quick Start
NOVELL® QUICK START CARD
1
Manually activating enforce mode (using the command
line) removes mode ags from the top of the prole
/bin/foo flags=(complain) becomes /bin/foo.
genprof
Generate or update a prole. When running, you must
specify a program to prole. If the specied program is
not an absolute path, genprof searches the $PATH variable. If a prole does not exist, genprof creates one using
autodep.
logprof
Manage AppArmor proles. logprof is an interactive tool
used to review the learning or complain mode output
found in the AppArmor syslog entries and to generate
new entries in AppArmor proles.
unconned
Output a list of processes with open tcp or udp ports
that do not have AppArmor proles loaded.
Methods of Proling
Stand-Alone Proling
Using genprof. Suitable for proling small applications.
Systemic Proling
Suitable for proling large numbers of programs all at
once and for proling applications that may run “forever.”
To apply systemic proling, proceed as follows:
1. Create proles for the individual programs that make
up your application (autodep).
2. Put relevant proles into learning or complain mode.
3. Exercise your application.
4. Analyze the log (logprof).
5. Repeat Steps 3-4.
6. Edit the proles.
7. Return to enforce mode.
8.
Reload all proles (rcapparmor restart).
Learning Mode
When using genprof, logprof, or YaST in learning mode,
you get several options for how to proceed:
Allow
Grant access.
Deny
Prevent access.
Glob
Modify the directory path to include all les in the suggested directory.
Glob w/Ext
Modify the original directory path while retaining the
lename extension. This allows the program to access
all les in the suggested directories that end with the
specied extension.
Edit
Enable editing of the highlighted line. The new (edited)
line appears at the bottom of the list. This option is called
New in the logprof and genprof command line tools.
Abort
Abort logprof or YaST, losing all rule changes entered
so far and leaving all proles unmodied.
Finish
Close logprof or YaST, saving all rule changes entered
so far and modifying all proles.
Example Prole
#include<tunables/global>
@{HOME} = /home/*/ /root/ # variable
/usr/bin/foo {
#include <abstractions/base>
network inet tcp,
capability setgid,
/bin/mount ux,
/dev/{,u}random r,
/etc/ld.so.cache r,
/etc/foo/* r,
/lib/ld-*.so* mr,
/lib/lib*.so* mr,
/proc/[0-9]** r,
/usr/lib/** mr,
/tmp/ r,
/tmp/foo.pid wr,
/tmp/foo.* lrw,
/@{HOME}/.foo_file rw,
/@{HOME}/.foo_lock kw,
link /etc/sysconfig/foo -> /etc/foo.conf,
deny /etc/shadow w,
owner /home/*/** rw,
/usr/bin/foobar cx,
/bin/** px -> bin_generic
# comment on foo's local profile, foobar.
foobar {
/bin/bash rmix,
/bin/cat rmix,
/bin/more rmix,
/var/log/foobar* rwl,
/etc/foobar r,
}
}
2
Structure of a Prole
Proles are simple text les in the /etc/apparmor.d directory. They consist of several parts: #include, capability
entries, rules, and “hats.”
#include
This is the section of an AppArmor prole that refers to an
include le, which mediates access permissions for programs. By using an include, you can give the program access
to directory paths or les that are also required by other
programs. Using includes can reduce the size of a prole.
It is good practice to select includes when suggested.
To assist you in proling your applications, AppArmor provides three classes of #includes: abstractions, program
chunks, and tunables.
Abstractions are #includes that are grouped by common
application tasks. These tasks include access to authentication mechanisms, access to name service routines, common
graphics requirements, and system accounting, for example,
base, consoles, kerberosclient, perl, user-mail, user-tmp,
authentication, bash, nameservice.
Program chunks are access controls for specic programs
that a system administrator might want to control based
on local site policy. Each chunk is used by a single program.
Tunables are global variable denitions. When used in a
prole, these variables expand to a value that can be
changed without changing the entire prole. Therefore your
proles become portable to different environments.
Local Variables
Local variables are dened at the head of a prole. Use local
variables to create shortcuts for paths, for example to provide the base for a chrooted path:
@{CHROOT_BASE}=/tmp/foo
/sbin/syslog-ng {
...
# chrooted applications
@{CHROOT_BASE}/var/lib/*/dev/log w,
@{CHROOT_BASE}/var/log/** w,
...
}
Aliases
Alias rules provide an alternative form of path rewriting to
using variables, and are done post variable resolution:
alias /home/ -> /mnt/users/
Network Access Control
AppArmor provides network access mediation based on
network domain and type:
/bin/ping {
network inet dgram,
network inet raw,
...
}
The example would allow IPv4 network access of the datagram and raw type for the ping command. For details on
the network rule syntax, refer to the Part “Conning Privileges with Novell AppArmor” (↑Security Guide).
Capability Entries (POSIX.1e)
Capabilities statements are simply the word “capability”
followed by the name of the POSIX.1e capability as dened
in the capabilities(7) man page.
Rules: General Options for Files and
Directories
FileOption
r
read
w
write
l
link
k
le locking
ale append (mutually exclusive to w)
Rules: Link Pair
The link mode grants permission to create links to arbitrary
les, provided the link has a subset of the permissions
granted by the target (subset permission test). By specifying
origin and destination, the link pair rule provides greater
control over how hard links are created. Link pair rules by
default do not enforce the link subset permission test that
the standard rules link permission requires. To force the
rule to require the test the subset keyword is used. The
following rules are equivalent:
/link l,
link subset /link -> /**,
Rules: Denying rules
AppArmor provides deny rules which are standard rules
but with the keyword deny prepended. They are used to
remember known rejects, and quiet them so the reject
messages don't ll up the log les. For more information
see Part “Conning Privileges with Novell AppArmor” (↑Security Guide).
3
Loading...