/etc/apparmor.d/
and they contain a list of access control rules on resources that each program can make use of. The profiles are compiled and loaded into the kernel by the apparmor_parser
command. Each profile can be loaded either in enforcing or complaining mode. The former enforces the policy and reports violation attempts, while the latter does not enforce the policy but still logs the system calls that would have been denied.
#
apt install apparmor apparmor-profiles apparmor-utils
[...] #
perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub
#
update-grub
aa-status
will confirm it quickly:
#
aa-status
apparmor module is loaded. 44 profiles are loaded. 9 profiles are in enforce mode. /usr/bin/lxc-start /usr/lib/chromium-browser/chromium-browser//browser_java [...] 35 profiles are in complain mode. /sbin/klogd [...] 3 processes have profiles defined. 1 processes are in enforce mode. /usr/sbin/libvirtd (1295) 2 processes are in complain mode. /usr/sbin/avahi-daemon (941) /usr/sbin/avahi-daemon (1000) 0 processes are unconfined but have a profile defined.
aa-enforce
and aa-complain
giving as parameter either the path of the executable or the path to the policy file. Additionaly a profile can be entirely disabled with aa-disable
or put in audit mode (to log accepted system calls too) with aa-audit
.
#
aa-enforce /usr/sbin/avahi-daemon
Setting /usr/sbin/avahi-daemon to enforce mode.
#
aa-complain /etc/apparmor.d/usr.bin.lxc-start
Setting /etc/apparmor.d/usr.bin.lxc-start to complain mode.
aa-unconfined
command to list the programs which have no associated profile and which expose an open network socket. With the --paranoid
option you get all unconfined processes that have at least one active network connection.
#
aa-unconfined
801 /sbin/dhclient not confined 890 /sbin/rpcbind not confined 899 /sbin/rpc.statd not confined 929 /usr/sbin/sshd not confined 941 /usr/sbin/avahi-daemon confined by '/usr/sbin/avahi-daemon (complain)' 988 /usr/sbin/minissdpd not confined 1276 /usr/sbin/exim4 not confined 1485 /usr/lib/erlang/erts-6.2/bin/epmd not confined 1751 /usr/lib/erlang/erts-6.2/bin/beam.smp not confined 19592 /usr/lib/dleyna-renderer/dleyna-renderer-service not confined
/sbin/dhclient
. For this we will use aa-genprof dhclient
. It will invite you to use the application in another window and when done to come back to aa-genprof
to scan for AppArmor events in the system logs and convert those logs into access rules. For each logged event, it will make one or more rule suggestions that you can either approve or further edit in multiple ways:
#
aa-genprof dhclient
Writing updated profile for /sbin/dhclient. Setting /sbin/dhclient to complain mode. Before you begin, you may wish to check if a profile already exists for the application you wish to confine. See the following wiki page for more information: http://wiki.apparmor.net/index.php/Profiles Please start the application to be profiled in another window and exercise its functionality now. Once completed, select the "Scan" option below in order to scan the system logs for AppArmor events. For each AppArmor event, you will be given the opportunity to choose whether the access should be allowed or denied. Profiling: /sbin/dhclient [(S)can system log for AppArmor events] / (F)inish Reading log entries from /var/log/audit/audit.log. Profile: /sbin/dhclient Execute: /usr/lib/NetworkManager/nm-dhcp-helper Severity: unknown (I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / Abo(r)t / (F)inish
P
Should AppArmor sanitise the environment when switching profiles? Sanitising environment is more secure, but some applications depend on the presence of LD_PRELOAD or LD_LIBRARY_PATH. (Y)es / [(N)o]Y
Writing updated profile for /usr/lib/NetworkManager/nm-dhcp-helper. Complain-mode changes: WARN: unknown capability: CAP_net_raw Profile: /sbin/dhclient Capability: net_raw Severity: unknown [(A)llow] / (D)eny / (I)gnore / Audi(t) / Abo(r)t / (F)inishA
Adding capability net_raw to profile. Profile: /sbin/dhclient Path: /etc/nsswitch.conf Mode: r Severity: unknown 1 - #include <abstractions/apache2-common> 2 - #include <abstractions/libvirt-qemu> 3 - #include <abstractions/nameservice> 4 - #include <abstractions/totem> [5 - /etc/nsswitch.conf] [(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore3
Profile: /sbin/dhclient Path: /etc/nsswitch.conf Mode: r Severity: unknown 1 - #include <abstractions/apache2-common> 2 - #include <abstractions/libvirt-qemu> [3 - #include <abstractions/nameservice>] 4 - #include <abstractions/totem> 5 - /etc/nsswitch.conf [(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)oreA
Adding #include <abstractions/nameservice> to profile. Profile: /sbin/dhclient Path: /proc/7252/net/dev Mode: r Severity: 6 1 - /proc/7252/net/dev [2 - /proc/*/net/dev] [(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)oreA
Adding /proc/*/net/dev r to profile [...] Profile: /sbin/dhclient Path: /run/dhclient-eth0.pid Mode: w Severity: unknown [1 - /run/dhclient-eth0.pid] [(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)oreN
Enter new path: /run/dhclient*.pid Profile: /sbin/dhclient Path: /run/dhclient-eth0.pid Mode: w Severity: unknown 1 - /run/dhclient-eth0.pid [2 - /run/dhclient*.pid] [(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)oreA
Adding /run/dhclient*.pid w to profile [...] Profile: /usr/lib/NetworkManager/nm-dhcp-helper Path: /proc/filesystems Mode: r Severity: 6 [1 - /proc/filesystems] [(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)oreA
Adding /proc/filesystems r to profile = Changed Local Profiles = The following local profiles were changed. Would you like to save them? [1 - /sbin/dhclient] 2 - /usr/lib/NetworkManager/nm-dhcp-helper (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)tS
Writing updated profile for /sbin/dhclient. Writing updated profile for /usr/lib/NetworkManager/nm-dhcp-helper. Profiling: /sbin/dhclient [(S)can system log for AppArmor events] / (F)inishF
Setting /sbin/dhclient to enforce mode. Setting /usr/lib/NetworkManager/nm-dhcp-helper to enforce mode. Reloaded AppArmor profiles in enforce mode. Please consider contributing your new profile! See the following wiki page for more information: http://wiki.apparmor.net/index.php/Profiles Finished generating profile for /sbin/dhclient.
The first event detected is the execution of another program. In that case, you have multiple choices: you can run the program with the profile of the parent process (the “Inherit” choice), you can run it with its own dedicated profile (the “Profile” and the “Named” choices, differing only by the possibility to use an arbitrary profile name), you can run it with a sub-profile of the parent process (the “Child” choice), you can run it without any profile (the “Unconfined” choice) or you can decide to not run it at all (the “Deny” choice).
Note that when you opt to run it under a dedicated profile that doesn't exist yet, the tool will create the missing profile for you and will make rule suggestions for that profile in the same run.
| |
At the kernel level, the special powers of the root user have been split in “capabilities”. When a system call requires a specific capability, AppArmor will verify whether the profile allows the program to make use of this capability.
| |
Here the program seeks read permissions for /etc/nsswitch.conf . aa-genprof detected that this permission was also granted by multiple “abstractions” and offers them as alternative choices. An abstraction provides a reusable set of access rules grouping together multiple resources that are commonly used together. In this specific case, the file is generally accessed through the nameservice related functions of the C library and we type “3” to first select the “#include <abstractions/nameservice>” choice and then “A” to allow it.
| |
The program wants to create the /run/dhclient-eth0.pid file. If we allow the creation of this specific file only, the program will not work when the user will use it on another network interface. Thus we select “New” to replace the filename with the more generic “/run/dhclient*.pid” before recording the rule with “Allow”.
| |
Notice that this access request is not part of the dhclient profile but of the new profile that we created when we allowed /usr/lib/NetworkManager/nm-dhcp-helper to run with its own profile.
After having gone through all the logged events, the program offers to save all the profiles that were created during the run. In this case, we have two profiles that we save at once with “Save” (but you can save them individually too) before leaving the program with “Finish”.
|
aa-genprof
is in fact only a smart wrapper around aa-logprof
: it creates an empty profile, loads it in complain mode and then run aa-logprof
which is a tool to update a profile based on the profile violations that have been logged. So you can re-run that tool later to improve the profile that you just created.
/etc/apparmor.d/sbin.dhclient
close to this:
# Last Modified: Tue Sep 8 21:40:02 2015 #include <tunables/global> /sbin/dhclient { #include <abstractions/base> #include <abstractions/nameservice> capability net_bind_service, capability net_raw, /bin/dash r, /etc/dhcp/* r, /etc/dhcp/dhclient-enter-hooks.d/* r, /etc/dhcp/dhclient-exit-hooks.d/* r, /etc/resolv.conf.* w, /etc/samba/dhcp.conf.* w, /proc/*/net/dev r, /proc/filesystems r, /run/dhclient*.pid w, /sbin/dhclient mr, /sbin/dhclient-script rCx, /usr/lib/NetworkManager/nm-dhcp-helper Px, /var/lib/NetworkManager/* r, /var/lib/NetworkManager/*.lease rw, /var/lib/dhcp/*.leases rw, profile /sbin/dhclient-script flags=(complain) { #include <abstractions/base> #include <abstractions/bash> /bin/dash rix, /etc/dhcp/dhclient-enter-hooks.d/* r, /etc/dhcp/dhclient-exit-hooks.d/* r, /sbin/dhclient-script r, } }