AppArmor is a Mandatory Access Control (MAC) system built on Linux's LSM (Linux Security Modules) interface. In practice, the kernel queries AppArmor before each system call to know whether the process is authorized to do the given operation. Through this mechanism, AppArmor confines programs to a limited set of resources.
AppArmor applies a set of rules (known as “profile”) on each program. The profile applied by the kernel depends on the installation path of the program being executed. Contrary to SELinux (discussed in Section14.5, “Introduction to SELinux”), the rules applied do not depend on the user. All users face the same set of rules when they are executing the same program (but traditional user permissions still apply and might result in different behavior!).
AppArmor profiles are stored in /etc/apparmor.d/ and they contain a list of access control rules on resources that each program can make use of. The profiles are compiled and loaded into the kernel by the apparmor_parser command. Each profile can be loaded either in enforcing or complaining mode. The former enforces the policy and reports violation attempts, while the latter does not enforce the policy but still logs the system calls that would have been denied.
AppArmor support is built into the standard kernels provided by Debian. Enabling AppArmor is thus just a matter of installing some packages by executing apt install apparmor apparmor-profiles apparmor-utils with root privileges.
AppArmor is functional after the installation, and aa-status will confirm it quickly:
#aa-statusapparmor module is loaded.32 profiles are loaded.15 profiles are in enforce mode. /usr/bin/man[...]17 profiles are in complain mode. /usr/sbin/dnsmasq[...]1 processes have profiles defined.1 processes are in enforce mode. /usr/sbin/libvirtd (468) libvirtd0 processes are in complain mode.0 processes are unconfined but have a profile defined.
NOTE More AppArmor profiles
The apparmor-profiles package contains profiles managed by the upstream AppArmor community. To get even more profiles you can install apparmor-profiles-extra which contains profiles developed by Ubuntu and Debian.
The state of each profile can be switched between enforcing and complaining with calls to aa-enforce and aa-complain giving as parameter either the path of the executable or the path to the policy file. Additionally a profile can be entirely disabled with aa-disable or put in audit mode (to log accepted system calls too) with aa-audit.
#aa-enforce /usr/bin/pidginSetting /usr/bin/pidgin to enforce mode.#aa-complain /usr/sbin/dnsmasqSetting /usr/sbin/dnsmasq to complain mode.
Even though creating an AppArmor profile is rather easy, most programs do not have one. This section will show you how to create a new profile from scratch just by using the target program and letting AppArmor monitor the system call it makes and the resources it accesses.
The most important programs that need to be confined are the network facing programs as those are the most likely targets of remote attackers. That is why AppArmor conveniently provides an aa-unconfined command to list the programs which have no associated profile and which expose an open network socket. With the --paranoid option you get all unconfined processes that have at least one active network connection.
#aa-unconfined451 /usr/bin/containerd not confined467 /usr/sbin/sshd (sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups) not confined892 /usr/sbin/exim4 not confined
In the following example, we will thus try to create a profile for /sbin/dhclient (there already is a profile shipped by apparmor-profiles, so you can compare your results to the official one). For this we will use aa-genprof dhclient. It will invite you to use the application in another window and when done to come back to aa-genprof to scan for AppArmor events in the system logs and convert those logs into access rules. For each logged event, it will make one or more rule suggestions that you can either approve or further edit in multiple ways:
#aa-genprof dhclientWriting updated profile for /usr/sbin/dhclient.Setting /usr/sbin/dhclient to complain mode.Before you begin, you may wish to check if aprofile already exists for the application youwish to confine. See the following wiki page formore information:https://gitlab.com/apparmor/apparmor/wikis/ProfilesProfiling: /usr/sbin/dhclientPlease start the application to be profiled inanother window and exercise its functionality now.Once completed, select the "Scan" option below in order to scan the system logs for AppArmor events. For each AppArmor event, you will be given the opportunity to choose whether the access should be allowed or denied.[(S)can system log for AppArmor events] / (F)inishSReading log entries from /var/log/syslog.Profile: /usr/sbin/dhclientExecute: /usr/sbin/dhclient-scriptSeverity: unknown(I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / Abo(r)t / (F)inish
PShould AppArmor sanitise the environment whenswitching profiles?Sanitising environment is more secure,but some applications depend on the presenceof LD_PRELOAD or LD_LIBRARY_PATH.[(Y)es] / (N)oYWriting updated profile for /usr/sbin/dhclient-script.Complain-mode changes:Profile: /usr/sbin/dhclientAAdding capability net_raw, to profile.Profile: /usr/sbin/dhclientCapability: net_bind_serviceSeverity: 8 [1 - #include <abstractions/nis>] 2 - capability net_bind_service,(A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inishAAdding #include <abstractions/nis> to profile.Profile: /usr/sbin/dhclient2Profile: /usr/sbin/dhclientPath: /etc/ssl/openssl.cnfNew Mode: owner rSeverity: 2 1 - #include <abstractions/lightdm> [2 - #include <abstractions/openssl>] 3 - #include <abstractions/ssl_keys> 4 - owner /etc/ssl/openssl.cnf r, [(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)oreA[...]Profile: /usr/sbin/dhclient-scriptAAdding #include <abstractions/lightdm> to profile.Deleted 2 previous matching profile entries.= Changed Local Profiles =The following local profiles were changed. Would you like to save them? [1 - /usr/sbin/dhclient] 2 - /usr/sbin/dhclient-script(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)tSWriting updated profile for /usr/sbin/dhclient.Writing updated profile for /usr/sbin/dhclient-script.Profiling: /usr/sbin/dhclientPlease start the application to be profiled inanother window and exercise its functionality now.Once completed, select the "Scan" option below inorder to scan the system logs for AppArmor events.For each AppArmor event, you will be given theopportunity to choose whether the access should beallowed or denied.[(S)can system log for AppArmor events] / (F)inishFSetting /usr/sbin/dhclient to enforce mode.Setting /usr/sbin/dhclient-script to enforce mode.Reloaded AppArmor profiles in enforce mode.Please consider contributing your new profile!See the following wiki page for more information:https://gitlab.com/apparmor/apparmor/wikis/ProfilesFinished generating profile for /usr/sbin/dhclient.
Note that the program does not display back the control characters that you type but for the clarity of the explanation we have included them in the previous transcript.
| The first event detected is the execution of another program. In that case, you have multiple choices: you can run the program with the profile of the parent process (the “Inherit” choice), you can run it with its own dedicated profile (the “Profile” and the “Named” choices, differing only by the possibility to use an arbitrary profile name), you can run it with a sub-profile of the parent process (the “Child” choice), you can run it without any profile (the “Unconfined” choice) or you can decide to not run it at all (the “Deny” choice). Note that when you opt to run it under a dedicated profile that doesn't exist yet, the tool will create the missing profile for you and will make rule suggestions for that profile in the same run. |
| At the kernel level, the special powers of the root user have been split in “capabilities”. When a system call requires a specific capability, AppArmor will verify whether the profile allows the program to make use of this capability. |
| Here the program seeks read permissions for |
| Notice that this access request is not part of the dhclient profile but of the new profile that we created when we allowed After having gone through all the logged events, the program offers to save all the profiles that were created during the run. In this case, we have two profiles that we save at once with “Save” (but you can save them individually too) before leaving the program with “Finish”. |
aa-genprof is in fact only a smart wrapper around aa-logprof: it creates an empty profile, loads it in complain mode and then run aa-logprof which is a tool to update a profile based on the profile violations that have been logged. So you can re-run that tool later to improve the profile that you just created.
If you want the generated profile to be complete, you should use the program in all the ways that it is legitimately used. In the case of dhclient, it means running it via Network Manager, running it via ifupdown, running it manually, etc. In the end, you might get a /etc/apparmor.d/usr.sbin.dhclient close to the profile shipped by apparmor-profiles in /usr/share/apparmor/extra-profiles/sbin.dhclient.
And /etc/apparmor.d/usr.sbin.dhclient-script might be similar to /usr/share/apparmor/extra-profiles/sbin.dhclient, shipped in apparmor-profiles too.
