AppArmor: Difference between revisions

From Alpine Linux
(→‎With SYSLINUX: fix: rm nonexistent inline code template ref. for sudo -e)
m (Added Audit as a dependency when generating AppArmor profiles with the aa-* commands)
 
(10 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{TOC right}}
AppArmor is a kernel security module that restricts individual programs' capabilities. This can allow administrators to prevent programs accessing system resources in malicious ways according to per-applications specifications. AppArmor works by following profiles, which dictate what each application is and is not allowed to do.  
AppArmor is a kernel security module that restricts individual programs' capabilities. This can allow administrators to prevent programs accessing system resources in malicious ways according to per-applications specifications. AppArmor works by following profiles, which dictate what each application is and is not allowed to do.  
<br>


== Installation ==
== Installation ==
Line 9: Line 9:
<br>
<br>


You should also install apparmor-utils if you want to use the aa command to interact with AppArmor.
You should also install <code>apparmor-utils</code> if you want to use the <code>aa</code> command to interact with AppArmor.


{{Cmd|# apk add {{Pkg|apparmor-utils}}}}
{{Cmd|# apk add {{Pkg|apparmor-utils}}}}
Line 23: Line 23:
=== With SYSLINUX ===
=== With SYSLINUX ===


Use a text editor of your choice (preferably a TUI based one since some GUI setups don't work with privilege escalation, unless you use sudo -e) to edit <pre>/boot/extlinux.conf</pre> such that the APPEND line ends with the following:
Use a text editor of your choice (preferably a TUI based one since some GUI setups don't work with privilege escalation, unless you use sudo -e) to edit <pre>/boot/extlinux.conf</pre> such that the <code>'''APPEND'''</code> line ends with the following:


<pre>
<pre>
Line 30: Line 30:


Note that because you're including lsm in this .conf file you are overriding the default lsm. Thus, you should include any lsm that you saw previously running in the above cat command. Additionally, lsm initializes these modules in order, so their position is important in regards to major/minor modules. Ensure that apparmor is placed first among major modules. Note for convenience that yama, capability, and landlock, which come with Alpine Linux, are not major modules, and apparmor can be placed after them. The module called capability is automatically included and does not need to be written in.  
Note that because you're including lsm in this .conf file you are overriding the default lsm. Thus, you should include any lsm that you saw previously running in the above cat command. Additionally, lsm initializes these modules in order, so their position is important in regards to major/minor modules. Ensure that apparmor is placed first among major modules. Note for convenience that yama, capability, and landlock, which come with Alpine Linux, are not major modules, and apparmor can be placed after them. The module called capability is automatically included and does not need to be written in.  
<br>


=== With GRUB ===
=== With GRUB ===


Add the following at the end of the value for key '''GRUB_CMDLINE_LINUX_DEFAULT''':
Add the following at the end of the value for key <code>'''GRUB_CMDLINE_LINUX_DEFAULT'''</code> to <code>/etc/default/grub</code>:


<pre>
<pre>
Line 42: Line 40:


Then apply with:
Then apply with:
{{Cmd|# grub-mkconfig -o /boot/grub/grub.cfg}}
{{Cmd|# grub-mkconfig -o /boot/grub/grub.cfg}}


Line 48: Line 47:
== Running ==
== Running ==


Next, start AppArmor and tell openrc to start it on boot.
Next, start AppArmor and tell [[OpenRC]] to start it on boot.
 


{{Cmd|# rc-service apparmor start}}
{{Cmd|# rc-service apparmor start}}
{{Cmd|# rc-update add apparmor boot}}
{{Cmd|# rc-update add apparmor boot}}


<br>
You can check if AppArmor is running with the command <code>aa-enabled</code>
 
You can check if AppArmor is running with the command aa-enabled


{{Cmd|# aa-enabled}}
{{Cmd|# aa-enabled}}


<br>


==Configuration==
== Configuration ==


AppArmor works using rules established in profiles. A set of pre-made profiles is available for ease of use:
AppArmor works using rules established in profiles. A set of pre-made profiles is available for ease of use:
Line 67: Line 65:
{{Cmd|# apk add {{Pkg|apparmor-profiles}}}}
{{Cmd|# apk add {{Pkg|apparmor-profiles}}}}


Reboot.
Reboot following installation
 
=== Enabling Extra Profiles ===
 
Extra profiles reside in {{Path|/usr/share/apparmor/extra-profiles/}}. In order to enable to profile, it needs to be copied to {{Path|/etc/apparmor.d/}}:
 
If you want to enable the profile for <code>usr.bin.chromium-browser</code>, for example:
 
{{Cmd|# cp /usr/share/apparmor/extra-profiles/usr.bin.chromium-browser /etc/apparmor.d/}}
 
This will ''install'' the profile, it then needs to be set to '''complain''' or '''enforce''' mode:


== Additional profiles ==
{{Cmd|# aa-complain /etc/apparmor.d/usr.bin.chromium-browser}}


The profiles provided by the apparmor-profiles package are just a starter. You can create your own profiles by running


{{Cmd|# aa-easyprof <binary name>}}
{{Note|Use <code>aa-enforce</code> to set it to enforce mode, '''but beware that this could break functionality'''.}}
 
=== Creating additional profiles ===
 
 
The profiles provided by the apparmor-profiles package are just a starter. You can create your own profiles, but first you must install and start <code>audit</code>
 
{{Cmd|# apk add {{Pkg|audit}}}}
 
{{Cmd|# rc-service auditd start}}
 
{{Cmd|# rc-update add auditd}}
 
<br>
 
Now you can generate your own profiles with
 
{{Cmd|# aa-easyprof /path/to/binary}}
 
or
 
{{Cmd|# aa-genprof /path/to/binary}}


<br>
<br>


==Use==
Note that for this to work you'll probably need to set a more verbose [https://linuxconfig.org/introduction-to-the-linux-kernel-log-levels kernel log level]. For improved security, set it back to a higher level afterwards.
 
== Use ==


View AppArmor's report with the command aa-status
View AppArmor's report:


{{Cmd|# aa-status}}
{{Cmd|# aa-status}}
Line 85: Line 115:
This details how many and what profiles are in use as well as relevant findings, such as how many profiles are in complain mode or in kill mode.
This details how many and what profiles are in use as well as relevant findings, such as how many profiles are in complain mode or in kill mode.


==Troubleshoot==


If you notice a bunch of AppArmor errors on boot, try running aa-status and aa-enabled in the terminal. If the output mentions AppArmor being disabled at boot, re-open your /boot/extlinux.conf file and make sure the APPEND line still ends with lsm=landlock,yama,apparmor
== Troubleshooting ==
 
If you notice a bunch of AppArmor errors on boot, try running <code>aa-status</code> and <code>aa-enabled</code> in the terminal. If the output mentions AppArmor being disabled at boot, re-open your <code>/boot/extlinux.conf</code> file and make sure the '''APPEND''' line still ends with <code>lsm=landlock,yama,apparmor</code>
 
 
== See Also ==
 
* [https://wiki.apparmor.net/ AppArmor Wiki]
* [https://wiki.debian.org/AppArmor/HowToUse Debian Wiki: How to use AppArmor]
* [https://wiki.archlinux.org/title/AppArmor AppArmor entry on ArchWiki]


[[Category:Security]]
[[Category:Security]]
[[Category:Kernel]]

Latest revision as of 20:47, 12 June 2024

AppArmor is a kernel security module that restricts individual programs' capabilities. This can allow administrators to prevent programs accessing system resources in malicious ways according to per-applications specifications. AppArmor works by following profiles, which dictate what each application is and is not allowed to do.

Installation

# apk add apparmor


You should also install apparmor-utils if you want to use the aa command to interact with AppArmor.

# apk add apparmor-utils


Setup

Run the command

# cat /sys/kernel/security/lsm

to see what linux security modules are currently setup.


With SYSLINUX

Use a text editor of your choice (preferably a TUI based one since some GUI setups don't work with privilege escalation, unless you use sudo -e) to edit

/boot/extlinux.conf

such that the APPEND line ends with the following:

lsm=landlock,yama,apparmor

Note that because you're including lsm in this .conf file you are overriding the default lsm. Thus, you should include any lsm that you saw previously running in the above cat command. Additionally, lsm initializes these modules in order, so their position is important in regards to major/minor modules. Ensure that apparmor is placed first among major modules. Note for convenience that yama, capability, and landlock, which come with Alpine Linux, are not major modules, and apparmor can be placed after them. The module called capability is automatically included and does not need to be written in.

With GRUB

Add the following at the end of the value for key GRUB_CMDLINE_LINUX_DEFAULT to /etc/default/grub:

apparmor=1 security=apparmor

Then apply with:

# grub-mkconfig -o /boot/grub/grub.cfg


Running

Next, start AppArmor and tell OpenRC to start it on boot.


# rc-service apparmor start

# rc-update add apparmor boot

You can check if AppArmor is running with the command aa-enabled

# aa-enabled


Configuration

AppArmor works using rules established in profiles. A set of pre-made profiles is available for ease of use:

# apk add apparmor-profiles

Reboot following installation

Enabling Extra Profiles

Extra profiles reside in /usr/share/apparmor/extra-profiles/. In order to enable to profile, it needs to be copied to /etc/apparmor.d/:

If you want to enable the profile for usr.bin.chromium-browser, for example:

# cp /usr/share/apparmor/extra-profiles/usr.bin.chromium-browser /etc/apparmor.d/

This will install the profile, it then needs to be set to complain or enforce mode:

# aa-complain /etc/apparmor.d/usr.bin.chromium-browser


Note: Use aa-enforce to set it to enforce mode, but beware that this could break functionality.

Creating additional profiles

The profiles provided by the apparmor-profiles package are just a starter. You can create your own profiles, but first you must install and start audit

# apk add audit

# rc-service auditd start

# rc-update add auditd


Now you can generate your own profiles with

# aa-easyprof /path/to/binary

or

# aa-genprof /path/to/binary


Note that for this to work you'll probably need to set a more verbose kernel log level. For improved security, set it back to a higher level afterwards.

Use

View AppArmor's report:

# aa-status

This details how many and what profiles are in use as well as relevant findings, such as how many profiles are in complain mode or in kill mode.


Troubleshooting

If you notice a bunch of AppArmor errors on boot, try running aa-status and aa-enabled in the terminal. If the output mentions AppArmor being disabled at boot, re-open your /boot/extlinux.conf file and make sure the APPEND line still ends with lsm=landlock,yama,apparmor


See Also