Today we’re going to talk about AppArmor profiles those magical text files that help keep your system secure by limiting the capabilities of certain programs. But let’s be real here: AppArmor can seem pretty daunting at first glance. So, in this guide, we’ll break it down into simple terms and give you some examples to clarify things up.
First off, what are AppArmor profiles? They’re basically rules that tell your system which files a program is allowed to access and what privileges it can use. These rules are stored in text files located in /etc/apparmor.d/. Each file is named after the full path of the executable being profiled, with “/” replaced by “.”. For example, if we want to profile /bin/ping, our AppArmor profile would be called bin.ping.
Now let’s take a look at an example profile:
#include <tunables/global> // This includes global tunables for the AppArmor profile
/bin/ping flags=(complain) { // This is the profile for the /bin/ping executable, set to complain mode
#include <abstractions/base> // This includes the base abstractions for the profile
#include <abstractions/consoles> // This includes abstractions for console access
#include <abstractions/nameservice> // This includes abstractions for nameservice access
capability net_raw, // This grants the capability to access raw network sockets
capability setuid, // This grants the capability to set user IDs
network inet raw, // This allows raw network access for the profile
/bin/ping mixr, // This grants read, execute, and execute with interpreter permissions for the /bin/ping executable
/etc/modules.conf r, // This grants read access to the /etc/modules.conf file
}
Let’s break this down:
– #include
– /bin/ping flags=(complain) {: This is where the actual profile begins. The “flags” parameter tells AppArmor to log any denied accesses (more on this later).
– #include
– #include
– capability net_raw: This line grants the program access to raw network sockets. In other words, it allows ping to send packets directly to a device without going through any intermediate software (like iptables).
– capability setuid: This line gives the program permission to change its user ID. Normally, this is a big no-no in terms of security but for programs like ping that need it to function properly, it’s okay.
– network inet raw: This line grants the program access to raw IP packets (again, necessary for ping).
– /bin/ping mixr: This line allows ping to read and write its own configuration file (located at /etc/modules.conf) with mixed permissions (read and write).
Now how AppArmor works in practice. When you run a program that has an associated profile, AppArmor checks the rules in that profile to see if the program is allowed to access certain files or use certain privileges. If it isn’t, AppArmor will log a denied access and either continue running (in “complain” mode) or stop running altogether (in “enforce” mode).
To generate a new profile for a program that doesn’t have one yet, you can use the command:
# This script generates a new AppArmor profile for a program that doesn't have one yet.
# AppArmor is a security tool that restricts access to certain files and privileges for programs.
# If a program tries to access something it is not allowed to, AppArmor will log a denied access.
# Depending on the mode, it will either continue running (complain mode) or stop running (enforce mode).
# To generate a new profile, we use the command:
sudo aa-genprof executable
# "sudo" allows us to run the command with root privileges.
# "aa-genprof" is the command used to generate a new AppArmor profile.
# "executable" is the name of the program for which we want to create a profile.
Replace “executable” with the name of the program you want to profile. For example, if we wanted to create a profile for /usr/bin/firefox, we would run:
# This script is used to generate a profile for a specified program
# The profile will be used for AppArmor, a security tool for Linux systems
# The "sudo" command allows the user to run the following command with root privileges
# This is necessary for creating a profile for a system program
sudo aa-genprof
# The "firefox" argument specifies the program for which the profile will be generated
# This can be replaced with any other program name to generate a profile for that program
firefox
This will generate a new AppArmor profile in /etc/apparmor.d/. You can then review and edit the generated profile as needed.
To update an existing profile (if you’re seeing denied accesses), you can use the command:
# This script will generate a new AppArmor profile in /etc/apparmor.d/.
# It allows for review and editing of the generated profile as needed.
# To update an existing profile and address denied accesses, use the following command:
sudo aa-logprof
# The "sudo" command allows for the script to be run with root privileges.
# The "aa-logprof" command is used to generate and update AppArmor profiles.
# The "sudo" command is followed by the "aa-logprof" command to ensure it is run with root privileges.
# The "aa-logprof" command does not require any additional arguments as it will automatically generate and update profiles.
# The generated profile will be located in the /etc/apparmor.d/ directory.
# The generated profile can then be reviewed and edited as needed.
This will scan your system logs for AppArmor audit messages, which should help you identify any issues with your profiles.
Finally, it’s worth mentioning that some experimental profiles are available in packages like apport-profiles and apparmor-profiles-extra. These profiles can give you a head start when creating new ones but be aware that they may not work out of the box, and should generally only be used with caution.
AppArmor profiles in simple terms. We hope this guide has helped clarify some of the more complex concepts around AppArmor, and we encourage you to experiment with creating your own profiles as needed.