App Armor walkthrough | The ultimate guardian of Linux machine

 

 

 

 

 

 

 

AppArmor is a Mandatory Access Control (MAC) system which is a kernel (LSM) enhancement to confine programs to a limited set of resources. AppArmor's security model is to bind access control attributes to programs rather than to users. AppArmor confinement is provided via profiles loaded into the kernel, typically on boot. AppArmor profiles can be in one of two modes: enforcement and complain. Profiles loaded in enforcement mode will result in enforcement of the policy defined in the profile as well as reporting policy violation attempts (either via syslog or auditd). Profiles in complain mode will not enforce policy but instead report policy violation attempts.

AppArmor differs from some other MAC systems on Linux: it is path-based, it allows mixing of enforcement and complain mode profiles, it uses include files to ease development, and it has a far lower barrier to entry than other popular MAC systems.

AppArmor is an established technology first seen in Immunix and later integrated into Ubuntu, Novell/SUSE, and Mandriva. Core AppArmor functionality is in the mainline Linux kernel from 2.6.36 onwards; work is ongoing by AppArmor, Ubuntu and other developers to merge additional AppArmor functionality into the mainline kernel.

In addition to manually creating profiles, AppArmor includes a learning mode, in which profile violations are logged, but not prevented. This log can then be used for generating an AppArmor profile, based on the program's typical behavior.

AppArmor is implemented using the Linux Security Modules (LSM) kernel interface.

AppArmor is offered in part as an alternative to SELinux, which critics consider difficult for administrators to set up and maintain. Unlike SELinux, which is based on applying labels to files, AppArmor works with file paths. Proponents of AppArmor claim that it is less complex and easier for the average user to learn than SELinux. They also claim that AppArmor requires fewer modifications to work with existing systems.^[ For example, SELinux requires a filesystem that

 

supports "security labels", and thus cannot provide access control for files mounted via NFS. AppArmor is filesystem-agnostic.

 

AppArmor represents one of several possible approaches to the problem of restricting the actions that installed software may take.

The SELinux system generally takes an approach similar to AppArmor. One important difference, SELinux identifies file system objects by inode number instead of path. Under AppArmor an inaccessible file can become accessible if a hard link to it is created. SELinux's inode-based model would still deny access through newly created hard links because the hard link would be pointing to an inaccessible inode.

SELinux and AppArmor also differ significantly in how they are administered and how they integrate into the system.

 

Isolation of processes can also be accomplished by mechanisms like virtualization; the One Laptop per Child (OLPC) project, for example, sandboxes individual applications in lightweight Vserver.

In 2007, the Simplified Mandatory Access Control Kernel was introduced.

In 2009, a new solution called Tomoyo was included in Linux 2.6.30; like AppArmor, it also uses path-based access control.

 

 

How AppArmor Works

AppArmor works at the kernel level and it loads during the bootup. The way AppArmor handle the permission is via Profiles. Profiles is a set of rules that determines what the program can and cannot do. There are two modes that the Profiles can run: Enforcement and Complain. The Enforcement mode is a strict enforcement of the policy defined in the profile as well as reporting policy violation attempts. Complain mode will only report the policy violation attempts, but does not enforce the policy. Most profiles are loaded in the Enforcement mode, though there can be a good number of third parties profiles that are loaded in the Complain mode as well.

 

Checking out your AppArmor Status

If you are using Ubuntu 19.04 or above, AppArmor is installed by default and loads when you boot up your computer. To check the AppArmor status, type the following command in the terminal:

sudo apparmor_status

 

 

AppArmor Profiles

In AppArmor, processes are restricted by profiles. The list above shows us the protocols that are installed on the system – these ones come with Ubuntu. You can also install other profiles by installing the apparmor-profiles package. Some packages – server software, for example – may come with their own AppArmor profiles that are installed on the system along with the package. You can also create your own AppArmor profiles to restrict software.

Profiles can run in “complain mode” or “enforce mode.” In enforce mode – the default setting for the profiles that come with Ubuntu – AppArmor prevents applications from taking restricted actions. In complain mode, AppArmor allows applications to take restricted actions and creates a log entry complaining about this. Complain mode is ideal for testing an AppArmor profile before enabling it in enforce mode – you’ll see any errors that would occur in enforce mode.

Profiles are stored in the /etc/apparmor.d directory. These profiles are plain-text files that can contain comments.

 

 

---

Related Posts

---