Novell APPARMOR - AND Technical manual
This document helps you understand the main concepts behind Novell® AppArmor—the content of AppArmor
proles. Learn how to create or modify AppArmor proles. You can create and manage AppArmor proles in
three different ways. The most convenient interface to AppArmor is provided by means of the AppArmor YaST
modules which can be used either in graphical or ncurses mode. The same functionality is provided by the
AppArmor command line tools or if you just edit the proles in a text editor.
AppArmor Modes
complain/learning
In complain or learning mode, violations of AppArmor
prole rules, such as the proled program accessing les
not permitted by the prole, are detected. The violations
are permitted, but also logged. This mode is convenient
for developing proles and is used by the AppArmor
tools for generating proles.
enforce
Loading a prole in enforcement mode enforces the
policy dened in the prole as well as reports policy vi-
olation attempts to syslogd.
Starting and Stopping AppArmor
Use the rcapparmor command with one of the following
parameters:
start
Load the kernel module, mount securityfs, parse and
load proles. Proles and connement are applied to
any application started after this command was executed.
Processes already running at the time AppArmor is
started continue to run unconned.
stop
Unmount securityfs, and invalidate proles.
reload
Reload proles.
status
If AppArmor is enabled, output how many proles are
loaded in complain or enforce mode.
Use the rcaaeventd command to control event logging
with aa-eventd. Use the start and stop options to toggle
the status of the aa-eventd and check its status using the
status.
AppArmor Command Line Tools
autodep
Guess basic AppArmor prole requirements. autodep
creates a stub prole for the program or application
examined. The resulting prole is called “approximate”
because it does not necessarily contain all of the prole
entries that the program needs to be conned properly.
complain
Set an AppArmor prole to complain mode.
Manually activating complain mode (using the command
line) adds a ag to the top of the prole so that
/bin/foo becomes /bin/foo flags=(complain).
enforce
Set an AppArmor prole to enforce mode from complain
mode.
Novell AppArmor (2.3.1) Quick Start
NOVELL® QUICK START CARD
1
Manually activating enforce mode (using the command
line) removes mode ags from the top of the prole
/bin/foo flags=(complain) becomes /bin/foo.
genprof
Generate or update a prole. When running, you must
specify a program to prole. If the specied program is
not an absolute path, genprof searches the $PATH vari-
able. If a prole does not exist, genprof creates one using
autodep.
logprof
Manage AppArmor proles. logprof is an interactive tool
used to review the learning or complain mode output
found in the AppArmor syslog entries and to generate
new entries in AppArmor proles.
unconned
Output a list of processes with open tcp or udp ports
that do not have AppArmor proles loaded.
Methods of Proling
Stand-Alone Proling
Using genprof. Suitable for proling small applications.
Systemic Proling
Suitable for proling large numbers of programs all at
once and for proling applications that may run “forev-
er.”
To apply systemic proling, proceed as follows:
1. Create proles for the individual programs that make
up your application (autodep).
2. Put relevant proles into learning or complain mode.
3. Exercise your application.
4. Analyze the log (logprof).
5. Repeat Steps 3-4.
6. Edit the proles.
7. Return to enforce mode.
8. Reload all proles (rcapparmor restart).
Learning Mode
When using genprof, logprof, or YaST in learning mode,
you get several options for how to proceed:
Allow
Grant access.
Deny
Prevent access.
Glob
Modify the directory path to include all les in the sug-
gested directory.
Glob w/Ext
Modify the original directory path while retaining the
lename extension. This allows the program to access
all les in the suggested directories that end with the
specied extension.
Edit
Enable editing of the highlighted line. The new (edited)
line appears at the bottom of the list. This option is called
New in the logprof and genprof command line tools.
Abort
Abort logprof or YaST, losing all rule changes entered
so far and leaving all proles unmodied.
Finish
Close logprof or YaST, saving all rule changes entered
so far and modifying all proles.
Example Prole
#include<tunables/global>
@{HOME} = /home/*/ /root/ # variable
/usr/bin/foo {
#include <abstractions/base>
network inet tcp,
capability setgid,
/bin/mount ux,
/dev/{,u}random r,
/etc/ld.so.cache r,
/etc/foo/* r,
/lib/ld-*.so* mr,
/lib/lib*.so* mr,
/proc/[0-9]** r,
/usr/lib/** mr,
/tmp/ r,
/tmp/foo.pid wr,
/tmp/foo.* lrw,
/@{HOME}/.foo_file rw,
/@{HOME}/.foo_lock kw,
link /etc/sysconfig/foo -> /etc/foo.conf,
deny /etc/shadow w,
owner /home/*/** rw,
/usr/bin/foobar cx,
/bin/** px -> bin_generic
# comment on foo's local profile, foobar.
foobar {
/bin/bash rmix,
/bin/cat rmix,
/bin/more rmix,
/var/log/foobar* rwl,
/etc/foobar r,
}
}
2
Structure of a Prole
Proles are simple text les in the /etc/apparmor.d di-
rectory. They consist of several parts: #include, capability
entries, rules, and “hats.”
#include
This is the section of an AppArmor prole that refers to an
include le, which mediates access permissions for pro-
grams. By using an include, you can give the program access
to directory paths or les that are also required by other
programs. Using includes can reduce the size of a prole.
It is good practice to select includes when suggested.
To assist you in proling your applications, AppArmor pro-
vides three classes of #includes: abstractions, program
chunks, and tunables.
Abstractions are #includes that are grouped by common
application tasks. These tasks include access to authentica-
tion mechanisms, access to name service routines, common
graphics requirements, and system accounting, for example,
base, consoles, kerberosclient, perl, user-mail, user-tmp,
authentication, bash, nameservice.
Program chunks are access controls for specic programs
that a system administrator might want to control based
on local site policy. Each chunk is used by a single program.
Tunables are global variable denitions. When used in a
prole, these variables expand to a value that can be
changed without changing the entire prole. Therefore your
proles become portable to different environments.
Local Variables
Local variables are dened at the head of a prole. Use local
variables to create shortcuts for paths, for example to pro-
vide the base for a chrooted path:
@{CHROOT_BASE}=/tmp/foo
/sbin/syslog-ng {
...
# chrooted applications
@{CHROOT_BASE}/var/lib/*/dev/log w,
@{CHROOT_BASE}/var/log/** w,
...
}
Aliases
Alias rules provide an alternative form of path rewriting to
using variables, and are done post variable resolution:
alias /home/ -> /mnt/users/
Network Access Control
AppArmor provides network access mediation based on
network domain and type:
/bin/ping {
network inet dgram,
network inet raw,
...
}
The example would allow IPv4 network access of the data-
gram and raw type for the ping command. For details on
the network rule syntax, refer to the Part “Conning Privi-
leges with Novell AppArmor” (↑Security Guide).
Capability Entries (POSIX.1e)
Capabilities statements are simply the word “capability”
followed by the name of the POSIX.1e capability as dened
in the capabilities(7) man page.
Rules: General Options for Files and
Directories
FileOption
r
read
w
write
l
link
k
le locking
ale append (mutually exclusive to w)
Rules: Link Pair
The link mode grants permission to create links to arbitrary
les, provided the link has a subset of the permissions
granted by the target (subset permission test). By specifying
origin and destination, the link pair rule provides greater
control over how hard links are created. Link pair rules by
default do not enforce the link subset permission test that
the standard rules link permission requires. To force the
rule to require the test the subset keyword is used. The
following rules are equivalent:
/link l,
link subset /link -> /**,
Rules: Denying rules
AppArmor provides deny rules which are standard rules
but with the keyword deny prepended. They are used to
remember known rejects, and quiet them so the reject
messages don't ll up the log les. For more information
see Part “Conning Privileges with Novell AppArmor” (↑Se-
curity Guide).
3
Rules: Owner Conditional Rules
The le rules can be extended so that they can be condi-
tional upon the the user being the owner of the le. by
prepending the keyword owner to the rule. Owner condi-
tional rules accumulate just as regular le rules and are
considered a subset of regular le rules. If a regular le rule
overlaps with an owner conditional le rule, the resultant
permissions will be that of the regular le rule.
Rules: Dening Execute Permissions
For executables that may be called from the conned pro-
grams, the prole creating tools ask you for an appropriate
mode, which is also reected directly in the prole itself:
DescriptionFileOption
Stay in the same (parent's) prole.
ix
Inherit
Requires that a separate prole
exists for the executed program.
px
Prole
Use Px to make use of environ-
ment scrubbing.
Requires that a local prole exists
for the executed program. Use Cx
cx
Local prole
to make use of environment
scrubbing.
Executes the program without a
prole. Avoid running programs
ux
Uncon-
strained
in unconstrained or unconned
mode for security reasons. Use Ux
to make use of environment
scrubbing.
allow PROT_EXEC with mmap(2)
calls
m
Allow Exe-
cutable Map-
ping
WARNING: Running in ux Mode
Avoid running programs in ux mode as much as
possible. A program running in ux mode is not only
totally unprotected by AppArmor, but child process-
es inherit certain environment variables from the
parent that might inuence the child's execution
behavior and create possible security risks.
For more information about the different le execute
modes, refer to the apparmor.d(5) man page. For more
information about setgid and setuid environment scrubbing,
refer to the ld.so(8) man page.
Rules: Paths and Globbing
AppArmor supports explicit handling of directories. Use a
trailing /for any directory path that needs to be explicitly
distinguished:
/some/random/example/* r
Allow read access to les in the /some/random/
example directory.
/some/random/example/ r
Allow read access to the directory only.
/some/**/ r
Give read access to any directories below /some.
/some/random/example/** r
Give read access to les and directories under /some/
random/example.
/some/random/example/**[^/] r
Give read access to les under /some/random/
example. Explicitly exclude directories ([^/]).
To spare users from specifying similar paths all over again,
AppArmor supports basic globbing:
DescriptionGlob
Substitutes for any number of charac-
ters, except /.
*
Substitutes for any number of charac-
ters, including /.
**
Substitutes for any single character, ex-
cept /.
?
Substitutes for the single character a,b,
or c.
[ abc ]
Substitutes for the single character a,b,
or c.
[ a-c ]
Expand to one rule to match ab and
another to match cd.
{ ab,cd }
Substitutes for any character except a.[ ^a ]
Rules: Auditing rules
AppArmor provides the ability to audit given rules so that
when they are matched an audit message will appear in the
audit log. To enable audit messages for a given rule the
audit keyword is prepended to the rule:
audit /etc/foo/* rw,
Rules: Setting Capabilities
Normally AppArmor only restricts existing native Linux
controls and does not grant additional privileges. The only
exception from this strict rule is the set capability rule. For
security reasons, set capability rules will not be inherited,
so once a program leaves the prole, it looses the elevated
privilege. Setting a capability also implicitly adds a capability
rule allowing that capability. Since this rules allows to give
processes root privileges it should be used with extreme
caution and only in exceptional cases.
set capabilty cap_chown,
4
Hats
An AppArmor prole represents a security policy for an
individual program instance or process. It applies to an ex-
ecutable program, but if a portion of the program needs
different access permissions than other portions, the pro-
gram can “change hats” to use a different security context,
distinctive from the access of the main program. This is
known as a hat or subprole.
A prole can have an arbitrary number of hats, but there
are only two levels: a hat cannot have further hats.
The AppArmor ChangeHat feature can be used by applica-
tions to access hats during execution. Currently the packages
apache2-mod_apparmor and tomcat_apparmor utilize
ChangeHat to provide sub-process connement for the
Apache Web server and the Tomcat servlet container.
Conning Users with pam_apparmor
The pam_apparmor PAM module allows applications to
conne authenticated users into subproles based on group
names, user names, or a default prole. To accomplish this,
pam_apparmor needs to be registered as a PAM session
module.
Details about how to set up and congure pam_apparmor
can be found in /usr/share/doc/packages/pam
_apparmor/README. A HOWTO on setting up role-based
access control (RBAC) with pam_apparmor is available at
http://developer.novell.com/wiki/index.php/
Apparmor_RBAC_in_version_2.3.
Logging and Auditing
All AppArmor events are logged using the system's audit
interface (the auditd logging to /var/log/audit/audit
.log). On top of this infrastructure, event notication can
be congured. Congure this feature using YaST. It is based
on severity levels according to /etc/apparmor/
severity.db. Notication frequency and type of noti-
cation (such as e-mail) can be congured.
If auditd is not running, AppArmor logs to the system log
located under /var/log/messages using the LOG_KERN
facility.
Use YaST for generating reports in CSV or HTML format.
The Linux audit framework contains a dispatcher that can
send AppArmor events to any consumer application via
dbus. The GNOME AppArmor Desktop Monitor applet is
one example of an application that gathers AppArmor
events via dbus. To congure audit to use the dbus dispatch-
er, just set the dispatcher in your audit conguration in
/etc/audit/auditd.conf to apparmor-dbus and
restart auditd:
dispatcher=/usr/bin/apparmor-dbus
Once the dbus dispatcher is congured correctly, add the
AppArmor Desktop Monitor to the GNOME panel. As soon
as a REJECT event is logged, the applet's panel icon
changes appearance and you can click the applet to see the
number of reject events per conned application. To view
the exact log messages, refer to the audit log under /var/
log/audit/audit.log. Use the YaST Update Prole
Wizard to adjust the respective prole.
Directories and Files
/sys/kernel/security/apparmor/profiles
Virtualized le representing the currently loaded set of
proles.
/etc/apparmor/
Location of AppArmor conguration les.
/etc/apparmor/profiles/extras/
A local repository of proles shipped with AppArmor,
but not enabled by default.
/etc/apparmor.d/
Location of proles, named with the convention of re-
placing the /in pathnames with .(not for the root /)
so proles are easier to manage. For example, the prole
for the program /usr/sbin/ntpd is named usr.sbin
.ntpd.
/etc/apparmor.d/abstractions/
Location of abstractions.
/etc/apparmor.d/program-chunks/
Location of program chunks.
/proc/*/attr/current
Review the connement status of a process and the
prole that is used to conne the process. The ps auxZ
command retrieves this information automatically.
For More Information
To learn more about the AppArmor project, check out the
project's home page under http://en.opensuse.org/
AppArmor. Find more information on the concept and the
conguration of AppArmor in Part “Conning Privileges
with Novell AppArmor” (↑Security Guide).
Legal Notice
All content is copyright © 2006- 2009 Novell, Inc.
This manual is protected under Novell intellectual property
rights. By reproducing, duplicating or distributing this
manual you explicitly agree to conform to the terms and
conditions of this license agreement.
This manual may be freely reproduced, duplicated and dis-
tributed either as such or as part of a bundled package in
electronic and/or printed format, provided however that
the following conditions are fullled:
5
That this copyright notice and the names of authors and
contributors appear clearly and distinctively on all repro-
duced, duplicated and distributed copies. That this manual,
specically for the printed format, is reproduced and/or
distributed for noncommercial use only. The express autho-
rization of Novell, Inc must be obtained prior to any other
use of any manual or part thereof.
For Novell trademarks, see the Novell Trademark and Ser-
vice Mark list http://www.novell.com/company/
legal/trademarks/tmlist.html. Linux* is a regis-
tered trademark of Linus Torvalds. All other third party
trademarks are the property of their respective owners. A
trademark symbol (®, ™ etc.) denotes a Novell trademark;
an asterisk (*) denotes a third party trademark.
All information found in this book has been compiled with
utmost attention to detail. However, this does not guarantee
complete accuracy. Neither Novell, Inc., SUSE LINUX Prod-
ucts GmbH, the authors, nor the translators shall be held
liable for possible errors or the consequences thereof.
6
Created by SUSE® with XSL-FO
7
Other manuals for APPARMOR - AND
3
This manual suits for next models
1
Table of contents
Other Novell Software manuals
Novell
Novell Open Enterprise Server 2 Instruction Manual
Novell
Novell ZENWORKS LINUX MANAGEMENT 7.2 IR2 - ... User manual
Novell
Novell PRIVILEGED USER MANAGER EVALUATION - User manual
Novell
Novell IDENTITY MANAGER 3.6.1 - PASSWORD MANAGEMENT User manual
Novell
Novell IDENTITY MANAGER 3.6.1 - ENTITLEMENTS User manual
Novell
Novell SLRS 8 - Manual
Novell
Novell GROUPWISE 8 - RESOURCES User manual
Novell
Novell APPARMOR 2.0.1 - ADMINISTRATION GUIDE... Instruction Manual
Novell
Novell ENHANCED SMART CARD METHOD 3.0.1 - INSTALLATION... User manual
Novell
Novell ZENWORKS 7.2 LINUX MANAGEMENT - SCENARIOS 1... User manual
Novell
Novell APPARMOR 2.1 - User manual
Novell
Novell IDENTITY MANAGER 3.6. - INTEGRATION Quick setup guide
Novell
Novell ZENWORKS APPLICATION VIRTUALIZATION 8.0.2 - INTEGRATION AND STREAMING GUIDE... User manual
Novell
Novell IFOLDER 3.6 - CROSS-PLATFORM User manual
Novell
Novell Account Management 2.1 User manual
Novell
Novell OPEN ENTERPRISE SERVER 2.0 SP2 - DOMAIN SERVICE FOR... Instruction Manual
Novell
Novell GROUPWISE 8 - MONITOR Instruction Manual
Novell
Novell GROUPWISE 7 - DATABASES User manual
Novell
Novell LINUX ENTERPRISE DESKTOP 11 - ADMINISTRATION GUIDE... Instruction Manual
Novell
Novell ACCESS MANAGER 3.1 SP1 - SSL VPN SERVER GUIDE... User manual
Popular Software manuals by other brands
F-SECURE
F-SECURE MOBILE SECURITY 6 FOR WINDOWS MOBILE - user guide
HP
HP SN3000B Administrator's guide
Altigen
Altigen AltiServ user guide
Panasonic
Panasonic Workio DP-2310 operating instructions
Netscape
Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 Installation and setup guide
Canon
Canon CanoScan D1230UF user guide
Canon
Canon Networked Multi-Projection Set up and instructions
VBrick Systems
VBrick Systems VBRICK APPLIANCE VB4000 Admin guide
Fujitsu
Fujitsu ATLAS V14 user guide
Mitsubishi Electric
Mitsubishi Electric DX-PC55E Operation manual
Red Hat
Red Hat ENTERPRISE LINUX 5.1 - LVM ADMINISTRATION manual
Omron
Omron CX-SERVER LITE brochure
