Novell APPARMOR 2.3.1 Quick Start Card

This document helps you understand the main concepts behind Novell® AppArmor—the content of AppArmor
proles. Learn how to create or modify AppArmor proles. You can create and manage AppArmor proles in
three different ways. The most convenient interface to AppArmor is provided by means of the AppArmor YaST
modules which can be used either in graphical or ncurses mode. The same functionality is provided by the
AppArmor command line tools or if you just edit the proles in a text editor.

AppArmor Modes

complain/learning

In complain or learning mode, violations of AppArmor
prole rules, such as the proled program accessing les
not permitted by the prole, are detected. The violations
are permitted, but also logged. This mode is convenient
for developing proles and is used by the AppArmor
tools for generating proles.

enforce

Loading a prole in enforcement mode enforces the
policy dened in the prole as well as reports policy vi­olation attempts to syslogd.

Starting and Stopping AppArmor

Use the rcapparmor command with one of the following
parameters:

start

Load the kernel module, mount securityfs, parse and
load proles. Proles and connement are applied to
any application started after this command was executed.
Processes already running at the time AppArmor is
started continue to run unconned.

stop

Unmount securityfs, and invalidate proles.

reload

Reload proles.

status

If AppArmor is enabled, output how many proles are
loaded in complain or enforce mode.

Use the rcaaeventd command to control event logging
with aa-eventd. Use the start and stop options to toggle
the status of the aa-eventd and check its status using the
status.

AppArmor Command Line Tools

autodep

Guess basic AppArmor prole requirements. autodep
creates a stub prole for the program or application
examined. The resulting prole is called “approximate”
because it does not necessarily contain all of the prole
entries that the program needs to be conned properly.

complain

Set an AppArmor prole to complain mode.

Manually activating complain mode (using the command
line) adds a ag to the top of the prole so that
/bin/foo becomes /bin/foo flags=(complain).

enforce

Set an AppArmor prole to enforce mode from complain
mode.

Novell AppArmor (2.3.1) Quick Start

NOVELL® QUICK START CARD

1

Manually activating enforce mode (using the command
line) removes mode ags from the top of the prole
/bin/foo flags=(complain) becomes /bin/foo.

genprof

Generate or update a prole. When running, you must
specify a program to prole. If the specied program is
not an absolute path, genprof searches the $PATH vari­able. If a prole does not exist, genprof creates one using
autodep.

logprof

Manage AppArmor proles. logprof is an interactive tool
used to review the learning or complain mode output
found in the AppArmor syslog entries and to generate
new entries in AppArmor proles.

unconned

Output a list of processes with open tcp or udp ports
that do not have AppArmor proles loaded.

Methods of Proling

Stand-Alone Proling

Using genprof. Suitable for proling small applications.

Systemic Proling

Suitable for proling large numbers of programs all at
once and for proling applications that may run “forev­er.”

To apply systemic proling, proceed as follows:

1. Create proles for the individual programs that make
up your application (autodep).

2. Put relevant proles into learning or complain mode.

3. Exercise your application.

4. Analyze the log (logprof).

5. Repeat Steps 3-4.

6. Edit the proles.

7. Return to enforce mode.

8.

Reload all proles (rcapparmor restart).

Learning Mode

When using genprof, logprof, or YaST in learning mode,
you get several options for how to proceed:

Allow

Grant access.

Deny

Prevent access.

Glob

Modify the directory path to include all les in the sug­gested directory.

Glob w/Ext

Modify the original directory path while retaining the
lename extension. This allows the program to access
all les in the suggested directories that end with the
specied extension.

Edit

Enable editing of the highlighted line. The new (edited)
line appears at the bottom of the list. This option is called
New in the logprof and genprof command line tools.

Abort

Abort logprof or YaST, losing all rule changes entered
so far and leaving all proles unmodied.

Finish

Close logprof or YaST, saving all rule changes entered
so far and modifying all proles.

Example Prole

#include<tunables/global>

@{HOME} = /home/*/ /root/ # variable

/usr/bin/foo {

#include <abstractions/base>
network inet tcp,
capability setgid,

/bin/mount ux,
/dev/{,u}random r,
/etc/ld.so.cache r,
/etc/foo/* r,
/lib/ld-*.so* mr,
/lib/lib*.so* mr,
/proc/[0-9]** r,
/usr/lib/** mr,
/tmp/ r,
/tmp/foo.pid wr,
/tmp/foo.* lrw,
/@{HOME}/.foo_file rw,
/@{HOME}/.foo_lock kw,

link /etc/sysconfig/foo -> /etc/foo.conf,
deny /etc/shadow w,
owner /home/*/** rw,

/usr/bin/foobar cx,
/bin/** px -> bin_generic

# comment on foo's local profile, foobar.

foobar {

/bin/bash rmix,
/bin/cat rmix,
/bin/more rmix,
/var/log/foobar* rwl,
/etc/foobar r,

}

}

2

Structure of a Prole

Proles are simple text les in the /etc/apparmor.d di­rectory. They consist of several parts: #include, capability
entries, rules, and “hats.”

#include

This is the section of an AppArmor prole that refers to an
include le, which mediates access permissions for pro­grams. By using an include, you can give the program access
to directory paths or les that are also required by other
programs. Using includes can reduce the size of a prole.
It is good practice to select includes when suggested.

To assist you in proling your applications, AppArmor pro­vides three classes of #includes: abstractions, program
chunks, and tunables.

Abstractions are #includes that are grouped by common
application tasks. These tasks include access to authentica­tion mechanisms, access to name service routines, common
graphics requirements, and system accounting, for example,
base, consoles, kerberosclient, perl, user-mail, user-tmp,
authentication, bash, nameservice.

Program chunks are access controls for specic programs
that a system administrator might want to control based
on local site policy. Each chunk is used by a single program.

Tunables are global variable denitions. When used in a
prole, these variables expand to a value that can be
changed without changing the entire prole. Therefore your
proles become portable to different environments.

Local Variables

Local variables are dened at the head of a prole. Use local
variables to create shortcuts for paths, for example to pro­vide the base for a chrooted path:

@{CHROOT_BASE}=/tmp/foo
/sbin/syslog-ng {
...
# chrooted applications
@{CHROOT_BASE}/var/lib/*/dev/log w,
@{CHROOT_BASE}/var/log/** w,
...
}

Aliases

Alias rules provide an alternative form of path rewriting to
using variables, and are done post variable resolution:

alias /home/ -> /mnt/users/

Network Access Control

AppArmor provides network access mediation based on
network domain and type:

/bin/ping {
network inet dgram,
network inet raw,
...
}

The example would allow IPv4 network access of the data­gram and raw type for the ping command. For details on
the network rule syntax, refer to the Part “Conning Privi­leges with Novell AppArmor” (↑Security Guide).

Capability Entries (POSIX.1e)

Capabilities statements are simply the word “capability”
followed by the name of the POSIX.1e capability as dened
in the capabilities(7) man page.

Rules: General Options for Files and
Directories

FileOption

r

read

w

write

l

link

k

le locking

ale append (mutually exclusive to w)

Rules: Link Pair

The link mode grants permission to create links to arbitrary
les, provided the link has a subset of the permissions
granted by the target (subset permission test). By specifying
origin and destination, the link pair rule provides greater
control over how hard links are created. Link pair rules by
default do not enforce the link subset permission test that
the standard rules link permission requires. To force the
rule to require the test the subset keyword is used. The
following rules are equivalent:

/link l,
link subset /link -> /**,

Rules: Denying rules

AppArmor provides deny rules which are standard rules
but with the keyword deny prepended. They are used to
remember known rejects, and quiet them so the reject
messages don't ll up the log les. For more information
see Part “Conning Privileges with Novell AppArmor” (↑Se­curity Guide).

3

Rules: Owner Conditional Rules

The le rules can be extended so that they can be condi­tional upon the the user being the owner of the le. by
prepending the keyword owner to the rule. Owner condi­tional rules accumulate just as regular le rules and are
considered a subset of regular le rules. If a regular le rule
overlaps with an owner conditional le rule, the resultant
permissions will be that of the regular le rule.

Rules: Dening Execute Permissions

For executables that may be called from the conned pro­grams, the prole creating tools ask you for an appropriate
mode, which is also reected directly in the prole itself:

DescriptionFileOption

Stay in the same (parent's) prole.

ix

Inherit

Requires that a separate prole
exists for the executed program.

px

Prole

Use Px to make use of environ­ment scrubbing.

Requires that a local prole exists
for the executed program. Use Cx

cx

Local prole

to make use of environment
scrubbing.

Executes the program without a
prole. Avoid running programs

ux

Uncon­strained

in unconstrained or unconned
mode for security reasons. Use Ux
to make use of environment
scrubbing.

allow PROT_EXEC with mmap(2)
calls

m

Allow Exe­cutable Map­ping

WARNING: Running in ux Mode

Avoid running programs in ux mode as much as
possible. A program running in ux mode is not only
totally unprotected by AppArmor, but child process­es inherit certain environment variables from the
parent that might inuence the child's execution
behavior and create possible security risks.

For more information about the different le execute
modes, refer to the apparmor.d(5) man page. For more
information about setgid and setuid environment scrubbing,
refer to the ld.so(8) man page.

Rules: Paths and Globbing

AppArmor supports explicit handling of directories. Use a
trailing / for any directory path that needs to be explicitly
distinguished:

/some/random/example/* r

Allow read access to les in the /some/random/
example directory.

/some/random/example/ r

Allow read access to the directory only.

/some/**/ r

Give read access to any directories below /some.

/some/random/example/** r

Give read access to les and directories under /some/
random/example.

/some/random/example/**[^/] r

Give read access to les under /some/random/
example. Explicitly exclude directories ([^/]).

To spare users from specifying similar paths all over again,
AppArmor supports basic globbing:

DescriptionGlob

Substitutes for any number of charac­ters, except /.

*

Substitutes for any number of charac­ters, including /.

**

Substitutes for any single character, ex­cept /.

?

Substitutes for the single character a, b,
or c.

[ abc ]

Substitutes for the single character a, b,
or c.

[ a-c ]

Expand to one rule to match ab and
another to match cd.

{ ab,cd }

Substitutes for any character except a.[ ^a ]

Rules: Auditing rules

AppArmor provides the ability to audit given rules so that
when they are matched an audit message will appear in the
audit log. To enable audit messages for a given rule the
audit keyword is prepended to the rule:

audit /etc/foo/* rw,

Rules: Setting Capabilities

Normally AppArmor only restricts existing native Linux
controls and does not grant additional privileges. The only
exception from this strict rule is the set capability rule. For
security reasons, set capability rules will not be inherited,
so once a program leaves the prole, it looses the elevated
privilege. Setting a capability also implicitly adds a capability
rule allowing that capability. Since this rules allows to give
processes root privileges it should be used with extreme
caution and only in exceptional cases.

set capabilty cap_chown,

4

Hats

An AppArmor prole represents a security policy for an
individual program instance or process. It applies to an ex­ecutable program, but if a portion of the program needs
different access permissions than other portions, the pro­gram can “change hats” to use a different security context,
distinctive from the access of the main program. This is
known as a hat or subprole.

A prole can have an arbitrary number of hats, but there
are only two levels: a hat cannot have further hats.

The AppArmor ChangeHat feature can be used by applica­tions to access hats during execution. Currently the packages
apache2-mod_apparmor and tomcat_apparmor utilize
ChangeHat to provide sub-process connement for the
Apache Web server and the Tomcat servlet container.

Conning Users with pam_apparmor

The pam_apparmor PAM module allows applications to
conne authenticated users into subproles based on group
names, user names, or a default prole. To accomplish this,
pam_apparmor needs to be registered as a PAM session
module.

Details about how to set up and congure pam_apparmor
can be found in /usr/share/doc/packages/pam
_apparmor/README. A HOWTO on setting up role-based
access control (RBAC) with pam_apparmor is available at

http://developer.novell.com/wiki/index.php/
Apparmor_RBAC_in_version_2.3.

Logging and Auditing

All AppArmor events are logged using the system's audit
interface (the auditd logging to /var/log/audit/audit
.log). On top of this infrastructure, event notication can
be congured. Congure this feature using YaST. It is based
on severity levels according to /etc/apparmor/
severity.db. Notication frequency and type of noti­cation (such as e-mail) can be congured.

If auditd is not running, AppArmor logs to the system log
located under /var/log/messages using the LOG_KERN
facility.

Use YaST for generating reports in CSV or HTML format.

The Linux audit framework contains a dispatcher that can
send AppArmor events to any consumer application via
dbus. The GNOME AppArmor Desktop Monitor applet is
one example of an application that gathers AppArmor
events via dbus. To congure audit to use the dbus dispatch­er, just set the dispatcher in your audit conguration in
/etc/audit/auditd.conf to apparmor-dbus and
restart auditd:

dispatcher=/usr/bin/apparmor-dbus

Once the dbus dispatcher is congured correctly, add the
AppArmor Desktop Monitor to the GNOME panel. As soon
as a REJECT event is logged, the applet's panel icon
changes appearance and you can click the applet to see the
number of reject events per conned application. To view
the exact log messages, refer to the audit log under /var/
log/audit/audit.log. Use the YaST Update Prole
Wizard to adjust the respective prole.

Directories and Files

/sys/kernel/security/apparmor/profiles

Virtualized le representing the currently loaded set of
proles.

/etc/apparmor/

Location of AppArmor conguration les.

/etc/apparmor/profiles/extras/

A local repository of proles shipped with AppArmor,
but not enabled by default.

/etc/apparmor.d/

Location of proles, named with the convention of re­placing the / in pathnames with . (not for the root /)
so proles are easier to manage. For example, the prole
for the program /usr/sbin/ntpd is named usr.sbin

.ntpd.

/etc/apparmor.d/abstractions/

Location of abstractions.

/etc/apparmor.d/program-chunks/

Location of program chunks.

/proc/*/attr/current

Review the connement status of a process and the
prole that is used to conne the process. The ps auxZ
command retrieves this information automatically.

For More Information

To learn more about the AppArmor project, check out the
project's home page under http://en.opensuse.org/
AppArmor. Find more information on the concept and the
conguration of AppArmor in Part “Conning Privileges
with Novell AppArmor” (↑Security Guide).

Legal Notice

All content is copyright © 2006- 2009 Novell, Inc.

This manual is protected under Novell intellectual property
rights. By reproducing, duplicating or distributing this
manual you explicitly agree to conform to the terms and
conditions of this license agreement.

This manual may be freely reproduced, duplicated and dis­tributed either as such or as part of a bundled package in
electronic and/or printed format, provided however that
the following conditions are fullled:

5

That this copyright notice and the names of authors and
contributors appear clearly and distinctively on all repro­duced, duplicated and distributed copies. That this manual,
specically for the printed format, is reproduced and/or
distributed for noncommercial use only. The express autho­rization of Novell, Inc must be obtained prior to any other
use of any manual or part thereof.

For Novell trademarks, see the Novell Trademark and Ser­vice Mark list http://www.novell.com/company/

legal/trademarks/tmlist.html. Linux* is a regis­tered trademark of Linus Torvalds. All other third party
trademarks are the property of their respective owners. A
trademark symbol (®, ™ etc.) denotes a Novell trademark;
an asterisk (*) denotes a third party trademark.

All information found in this book has been compiled with
utmost attention to detail. However, this does not guarantee
complete accuracy. Neither Novell, Inc., SUSE LINUX Prod­ucts GmbH, the authors, nor the translators shall be held
liable for possible errors or the consequences thereof.

6

Created by SUSE® with XSL-FO

7