AppArmor: confine programs to a limited set of resources

AppArmor is an easy-to-use Linux application security system. Restricts applications to use certain resources (network, files, etc.)

All coomands listed below need to be executed as root (or with sudo).

Table of Contents

• Installation
• Basic example
• Utilities

Installation

• Install apparmor (also apparmor-utils if available) using your system’s package manager.
• Then, enable apparmor.service.

    systemctl enable apparmor.service
  

• Add this parameter to your kernel init by editing /etc/default/grub and appending the following to GRUB_CMDLINE_LINUX_DEFAULT (Ubuntu seems to update kernel parameters automatically):

    # For Debian
    apparmor=1 security=apparmor
  

    # For Arch Linux
    lsm=landlock,lockdown,yama,integrity,apparmor,bpf
  

• Finally, reboot.

Basic example

In this example, I am going to allow a program to read or write files inside a folder. By default, AppArmor profiles deny access to any file. Create a profile file for that program. The filename will be the full path of the program executable, replacing / with . (and removing the first /).

vim /etc/apparmor.d/usr.bin.myprogram

Edit the file:

#include <tunables/global>

/usr/bin/myprogram {
  #include <abstractions/base>
  /usr/bin/myprogram r,
  /home/user/folder/* rw,
}

• You need to specify read access to your program.
• include statements define base rules that are common for several profiles. The # is optional.
• You can add comments with #.

After saving the file and closing the editor, run:

aa-enforce /usr/bin/myprogram

Utilities

• aa-easyprof: creates profile templates. If it’s not installed, check for apparmor-easyprof package in the repositories. To create a template, run:

    aa-easyprof /usr/bin/myprogram > /etc/apparmor.d/usr.bin.myprogram
  

• aa-logprof: checks apparmor logs to find how to fix an AppArmor security profile. You can accept or deny the changes.

    # aa-logprof
    Reading log entries from /var/log/syslog.
    Updating AppArmor profiles in /etc/apparmor.d.
    Complain-mode changes:
    Enforce-mode changes:
  
    Profile:  /usr/bin/nano
    Path:     /usr/share/nano/extra/debian.nanorc
    New Mode: owner r
    Severity: unknown
  
    [1 - owner /usr/share/nano/extra/debian.nanorc r,]
    (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish
    Adding owner /usr/share/nano/extra/debian.nanorc r, to profile.
  

• aa-genprof: similar to aa-easyprof, with the checking process of aa-logprof.

    aa-genprof /usr/bin/myprogram
  

• aa-complain: does not apply the profile, but logs access violations.

    aa-complain /usr/bin/myprogram
  

If you have any suggestion, feel free to contact me via social media or email.