AppArmor: Difference between revisions

From Alpine Linux
(Information and instruction on how to install, setup, and use AppArmor)
 
(consolidated information where it was more relevant)
Line 17: Line 17:
==Setup==
==Setup==


Run the command {{Cmd|# cat /sys/kernel/security/lsm}} to see what linux security modules are currently setup. Note that lsm initializes these modules in order, so their position is important in regards to major/minor modules. Ensure that apparmor is placed first among major modules. Note for convenience that yama, capability, and landlock, which come with Alpine Linux, are not major modules, and apparmor can be placed after them.
Run the command {{Cmd|# cat /sys/kernel/security/lsm}} to see what linux security modules are currently setup.  


<br>  
<br>  
Line 27: Line 27:
</pre>
</pre>


Note that because you're including lsm in this .conf file you are overriding the default lsm. Thus, you should include any lsm that you saw previously running in the above cat command. The module called capability is automatically included and does not need to be written in.
Note that because you're including lsm in this .conf file you are overriding the default lsm. Thus, you should include any lsm that you saw previously running in the above cat command. Additionally, lsm initializes these modules in order, so their position is important in regards to major/minor modules. Ensure that apparmor is placed first among major modules. Note for convenience that yama, capability, and landlock, which come with Alpine Linux, are not major modules, and apparmor can be placed after them. The module called capability is automatically included and does not need to be written in.  


<br>
<br>

Revision as of 00:20, 9 October 2022

AppArmor is a kernel security module that restricts individual programs' capabilities. This can allow administrators to prevent programs accessing system resources in malicious ways according to per-applications specifications. AppArmor works by following profiles, which dictate what each application is and is not allowed to do.


Installation

# apk add apparmor


You should also install apparmor-utils if you want to use the aa command to interact with AppArmor.

# apk add apparmor-utils


Setup

Run the command

# cat /sys/kernel/security/lsm

to see what linux security modules are currently setup.


Use a text editor like nano to edit

/boot/extlinux.conf

such that the APPEND line ends with the following:

lsm=landlock,yama,apparmor

Note that because you're including lsm in this .conf file you are overriding the default lsm. Thus, you should include any lsm that you saw previously running in the above cat command. Additionally, lsm initializes these modules in order, so their position is important in regards to major/minor modules. Ensure that apparmor is placed first among major modules. Note for convenience that yama, capability, and landlock, which come with Alpine Linux, are not major modules, and apparmor can be placed after them. The module called capability is automatically included and does not need to be written in.


Next, start AppArmor and tell openrc to start it on boot.

# rc-service apparmor start

# rc-update add apparmor


You can check if AppArmor is running with the command aa-enabled

# aa-enabled


Configuration

AppArmor works using rules established in profiles. A set of pre-made profiles is available for ease of use:

# apk add apparmor-profiles

Reboot.


Use

View AppArmor's report with the command aa-status

# aa-status

This details how many and what profiles are in use as well as relevant findings, such as how many profiles are in complain mode or in kill mode.