AppArmor: Difference between revisions
m (Add to Security category) |
(→Setup: add instructions for GRUB, describe creating your own profiles and getting the default ones) |
||
| Line 21: | Line 21: | ||
<br> | <br> | ||
Use a text editor | === With SYSLINUX === | ||
Use a text editor of your choice (preferably a TUI based one since some GUI setups don't work with privilege escalation, unless you use {{Inline-code |sudo -e}}) to edit <pre>/boot/extlinux.conf</pre> such that the APPEND line ends with the following: | |||
<pre> | <pre> | ||
| Line 28: | Line 30: | ||
Note that because you're including lsm in this .conf file you are overriding the default lsm. Thus, you should include any lsm that you saw previously running in the above cat command. Additionally, lsm initializes these modules in order, so their position is important in regards to major/minor modules. Ensure that apparmor is placed first among major modules. Note for convenience that yama, capability, and landlock, which come with Alpine Linux, are not major modules, and apparmor can be placed after them. The module called capability is automatically included and does not need to be written in. | Note that because you're including lsm in this .conf file you are overriding the default lsm. Thus, you should include any lsm that you saw previously running in the above cat command. Additionally, lsm initializes these modules in order, so their position is important in regards to major/minor modules. Ensure that apparmor is placed first among major modules. Note for convenience that yama, capability, and landlock, which come with Alpine Linux, are not major modules, and apparmor can be placed after them. The module called capability is automatically included and does not need to be written in. | ||
<br> | |||
=== With GRUB === | |||
Add the following at the end of the value for key {{Inline-code |GRUB_CMDLINE_LINUX_DEFAULT}}: | |||
<pre> | |||
apparmor=1 security=apparmor | |||
</pre> | |||
Then apply with: | |||
{{Cmd|# grub-mkconfig -o /boot/grub/grub.cfg}} | |||
<br> | <br> | ||
| Line 43: | Line 58: | ||
<br> | <br> | ||
If you notice that | |||
{{Cmd|# aa-status}} | |||
doesn't report any profiles to be loaded, then you should run | |||
{{Cmd|# apk add apparmor-profiles}} | |||
then reload apparmor by restarting the system. | |||
== Additional profiles == | |||
The profiles provided by the apparmor-profiles package are just a starter. You can create your own profiles by running | |||
{{Cmd|# aa-easyprof <binary name>}} | |||
==Configuration== | ==Configuration== | ||
Revision as of 02:56, 9 April 2023
AppArmor is a kernel security module that restricts individual programs' capabilities. This can allow administrators to prevent programs accessing system resources in malicious ways according to per-applications specifications. AppArmor works by following profiles, which dictate what each application is and is not allowed to do.
Installation
# apk add apparmor
You should also install apparmor-utils if you want to use the aa command to interact with AppArmor.
# apk add apparmor-utils
Setup
Run the command
# cat /sys/kernel/security/lsm
to see what linux security modules are currently setup.
With SYSLINUX
Use a text editor of your choice (preferably a TUI based one since some GUI setups don't work with privilege escalation, unless you use Template:Inline-code) to edit
/boot/extlinux.conf
such that the APPEND line ends with the following:
lsm=landlock,yama,apparmor
Note that because you're including lsm in this .conf file you are overriding the default lsm. Thus, you should include any lsm that you saw previously running in the above cat command. Additionally, lsm initializes these modules in order, so their position is important in regards to major/minor modules. Ensure that apparmor is placed first among major modules. Note for convenience that yama, capability, and landlock, which come with Alpine Linux, are not major modules, and apparmor can be placed after them. The module called capability is automatically included and does not need to be written in.
With GRUB
Add the following at the end of the value for key Template:Inline-code:
apparmor=1 security=apparmor
Then apply with:
# grub-mkconfig -o /boot/grub/grub.cfg
Next, start AppArmor and tell openrc to start it on boot.
# rc-service apparmor start
# rc-update add apparmor boot
You can check if AppArmor is running with the command aa-enabled
# aa-enabled
If you notice that
# aa-status
doesn't report any profiles to be loaded, then you should run
# apk add apparmor-profiles
then reload apparmor by restarting the system.
Additional profiles
The profiles provided by the apparmor-profiles package are just a starter. You can create your own profiles by running
# aa-easyprof <binary name>
Configuration
AppArmor works using rules established in profiles. A set of pre-made profiles is available for ease of use:
# apk add apparmor-profiles
Reboot.
Use
View AppArmor's report with the command aa-status
# aa-status
This details how many and what profiles are in use as well as relevant findings, such as how many profiles are in complain mode or in kill mode.
Troubleshoot
If you notice a bunch of AppArmor errors on boot, try running aa-status and aa-enabled in the terminal. If the output mentions AppArmor being disabled at boot, re-open your /boot/extlinux.conf file and make sure the APPEND line still ends with lsm=landlock,yama,apparmor