1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
<title>Gentoo Linux Documentation
--
Gentoo AppArmor Guide</title>
</head>
<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
<td width="99%" class="content" valign="top" align="left">
<table class="ncontent" align="center" width="90%" border="2px" cellspacing="0" cellpadding="4px"><tr><td bgcolor="#ddddff"><p class="note"><b>Disclaimer : </b>
This document is a work in progress and should not be considered official yet.
</p></td></tr></table>
<br><h1>Gentoo AppArmor Guide</h1>
<form name="contents" action="http://www.gentoo.org">
<b>Content</b>:
<select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Introduction</option>
<option value="#doc_chap2">2. Initial setup</option>
<option value="#doc_chap3">3. Working with profiles</option></select>
</form>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Introduction</p>
<p>
AppArmor is a Linux Security Module implementation, working around the concept of adding rules to file paths.
</p>
<p>
For each file path you specify, AppArmor will permit it only the permissions you grant.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Sample profile</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# ------------------------------------------------------------------
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
# ------------------------------------------------------------------
#include <tunables/global>
/sbin/klogd {
#include <abstractions/base>
capability sys_admin, # for backward compatibility with kernel <= 2.6.37
capability syslog,
network inet stream,
/boot/System.map* r,
@{PROC}/kmsg r,
@{PROC}/kallsyms r,
/dev/tty rw,
/sbin/klogd rmix,
/var/log/boot.msg rwl,
/{,var/}run/klogd.pid krwl,
/{,var/}run/klogd/klogd.pid krwl,
/{,var/}run/klogd/kmsg r,
}
</pre></td></tr>
</table>
<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
</span>Initial setup</p>
<p class="secthead"><a name="doc_chap2_sect1">Kernel patching</a></p>
<p>
From Linux 3.4, improved AppArmor support has been merged into the kernel. For the best experience, however,
it is recommended to patch your kernel with additional support. Without patching, it will only be possible to activate
profiles - deactivation, listing, init script etc. will not work.
</p>
<p>
The required patches are included in the AppArmor tarball. If you are using a grsec enabled kernel, such as <span class="code" dir="ltr">hardened-sources</span>,
the patches will not cleanly apply. For convenience, a rebased version of the patches is
<a href="https://github.com/kensington/apparmor-grsec/tarball/master">available</a>.
</p>
<p class="secthead"><a name="doc_chap2_sect2">Install utilities</a></p>
<p>
The AppArmor userspace utilities currently live in the
<a href="http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=summary">Hardened development overlay</a>.
You should install layman, and then add the <span class="code" dir="ltr">hardened-dev</span> overlay:
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Install userspace utilities</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">layman -a hardened-dev</span>
# <span class="code-input">emerge apparmor-utils</span>
<span class="code-comment">You will probably also wish to install some profiles to get started:</span>
# <span class="code-input">emerge apparmor-profiles</span>
</pre></td></tr>
</table>
</p>
<p class="secthead"><a name="doc_chap2_sect3">Further configuration</a></p>
<p>
You may wish to edit the configuation files located in <span class="code" dir="ltr">/etc/apparmor</span>, however
the default values will suit most users.
</p>
<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3.
</span>Working with profiles</p>
<p>
Profiles are stored as simple text files in <span class="code" dir="ltr">/etc/apparmor.d</span>. They may take any name, and may be stored
in subdirectories - you may organise them however it suits you.
</p>
<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: Sample profile directory listing</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
/etc/apparmor.d $ <span class="code-input">ls</span>
abstractions program-chunks usr.lib.apache2.mpm-prefork.apache2 usr.lib.dovecot.managesieve-login usr.sbin.dovecot usr.sbin.nscd
apache2.d sbin.klogd usr.lib.dovecot.deliver usr.lib.dovecot.pop3 usr.sbin.identd usr.sbin.ntpd
bin.ping sbin.syslog-ng usr.lib.dovecot.dovecot-auth usr.lib.dovecot.pop3-login usr.sbin.lspci usr.sbin.smbd
disable sbin.syslogd usr.lib.dovecot.imap usr.sbin.avahi-daemon usr.sbin.mdnsd usr.sbin.smbldap-useradd
local tunables usr.lib.dovecot.imap-login usr.sbin.dnsmasq usr.sbin.nmbd usr.sbin.traceroute
</pre></td></tr>
</table>
<p>
Profiles are referred to by name, including any parent subdirectories if present.
</p>
<p class="secthead"><a name="doc_chap3_sect2">Manual control</a></p>
<p>
To activate a profile, simply set it to enforce mode.
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Manual profile activation</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">aa-enforce usr.sbin.dnsmasq</span>
Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode.
</pre></td></tr>
</table>
</p>
<p>
Similarly, to deactive a profile, simply set it to complain mode.
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Manual profile deactivation</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">aa-complain usr.sbin.dnsmasq</span>
Setting /etc/apparmor.d/usr.sbin.dnsmasq to complain mode.
</pre></td></tr>
</table>
</p>
<p>
The current status of your profiles may be viewed using <span class="code" dir="ltr">aa-status</span>.
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Profile status listing</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">aa-status</span>
apparmor module is loaded.
6 profiles are loaded.
5 profiles are in enforce mode.
/bin/ping
/sbin/klogd
/sbin/syslog-ng
/usr/sbin/dnsmasq
/usr/sbin/identd
1 profiles are in complain mode.
/usr/sbin/lspci
1 processes have profiles defined.
1 processes are in enforce mode.
/usr/sbin/dnsmasq (12905)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
</pre></td></tr>
</table>
</p>
<p class="secthead"><a name="doc_chap3_sect3">Automatic control</a></p>
<p>
The provided init script will automatically load all profiles located in your profile directory.
Unless specifically specified otherwise, each profile will be loaded in enforce mode.
</p>
<br><p class="copyright">
The contents of this document, unless otherwise expressly stated, are
licensed under the <a href="http://creativecommons.org/licenses/by-sa/3.0">CC-BY-SA-3.0</a> license. The <a href="http://www.gentoo.org/main/en/name-logo.xml"> Gentoo Name and Logo Usage Guidelines </a> apply.
</p>
<!--
<rdf:RDF xmlns="http://web.resource.org/cc/"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
<License rdf:about="http://creativecommons.org/licenses/by-sa/3.0/">
<permits rdf:resource="http://web.resource.org/cc/Reproduction" />
<permits rdf:resource="http://web.resource.org/cc/Distribution" />
<requires rdf:resource="http://web.resource.org/cc/Notice" />
<requires rdf:resource="http://web.resource.org/cc/Attribution" />
<permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" />
<requires rdf:resource="http://web.resource.org/cc/ShareAlike" />
</License>
</rdf:RDF>
--><br>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="apparmor.xml?style=printable">Print</a></p></td></tr>
<tr><td class="topsep" align="center"><p class="alttext">Page updated July 10, 2012</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
This guide provides a brief overview of AppArmor, and gives information
on how to install and configure it on Gentoo.
</p></td></tr>
<tr><td align="left" class="topsep"><p class="alttext">
<a href="mailto:kensington@gentoo.org" class="altlink"><b>Michael Palimaka</b></a>
<br><i>Author</i><br></p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
</p>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
</form>
</td></tr>
<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
</table></td>
</tr></table></td></tr>
<tr><td colspan="2" align="right" class="infohead">
Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
</td></tr>
</table></body>
</html>
|
GitWeb