Looking at AppArmor profiles

In the /etc/apparmor.d directory, you'll see the AppArmor profiles for your system. (SELinux folk say policies, but AppArmor folk say profiles.):

donnie@ubuntu3:/etc/apparmor.d$ ls -l
total 72
drwxr-xr-x 5 root root  4096 Oct 29 15:21 abstractions
drwxr-xr-x 2 root root  4096 Nov 15 09:34 cache
drwxr-xr-x 2 root root  4096 Oct 29 14:43 disable
. . .
. . .
-rw-r--r-- 1 root root   125 Jun 14 16:15 usr.bin.lxc-start
-rw-r--r-- 1 root root   281 May 23  2017 usr.lib.lxd.lxd-bridge-proxy
-rw-r--r-- 1 root root 17667 Oct 18 05:04 usr.lib.snapd.snap-confine.real
-rw-r--r-- 1 root root  1527 Jan  5  2016 usr.sbin.rsyslogd
-rw-r--r-- 1 root root  1469 Sep  8 15:27 usr.sbin.tcpdump
donnie@ubuntu3:/etc/apparmor.d$

The sbin.dhclient file and the usr.* files are all AppArmor profiles. You'll find a few other profiles in the lxc and lxc-containers subdirectories. Still, though, there's not a whole lot there in the way of application profiles.

For some reason, a default installation of OpenSUSE comes with more installed profiles than Ubuntu Server does. To install more profiles on Ubuntu, just run this command:

 sudo apt install apparmor-profiles apparmor-profiles-extra

In the abstractions subdirectory, you'll find files that aren't complete profiles but that can be included in complete profiles. Any one of these abstraction files can be included in any number of profiles. This way, you don't have to write the same code over and over every time you create a profile. Just include an abstraction file instead.

If you're familiar with programming concepts, just think of abstraction files as include files by another name.

The following is a partial listing of abstraction files:

donnie@ubuntu3:/etc/apparmor.d/abstractions$ ls -l
total 320
-rw-r--r-- 1 root root  695 Mar 15  2017 apache2-common
drwxr-xr-x 2 root root 4096 Oct 29 15:21 apparmor_api
-rw-r--r-- 1 root root  308 Mar 15  2017 aspell
-rw-r--r-- 1 root root 1582 Mar 15  2017 audio
. . .
. . .
-rw-r--r-- 1 root root  705 Mar 15  2017 web-data
-rw-r--r-- 1 root root  739 Mar 15  2017 winbind
-rw-r--r-- 1 root root  585 Mar 15  2017 wutmp
-rw-r--r-- 1 root root 1819 Mar 15  2017 X
-rw-r--r-- 1 root root  883 Mar 15  2017 xad
-rw-r--r-- 1 root root  673 Mar 15  2017 xdg-desktop
donnie@ubuntu3:/etc/apparmor.d/abstractions$

To get a feel for how AppArmor rules work, let's peek inside the web-data abstraction file:

  /srv/www/htdocs/ r,
  /srv/www/htdocs/** r,
  # virtual hosting
  /srv/www/vhosts/ r,
  /srv/www/vhosts/** r,
  # mod_userdir
  @{HOME}/public_html/ r,
  @{HOME}/public_html/** r,

  /srv/www/rails/*/public/ r,
  /srv/www/rails/*/public/** r,

  /var/www/html/ r,
  /var/www/html/** r,

This file is just a list of directories from which the Apache daemon is allowed to read files. Let's break it down:

  • Note that each rule ends with r, this denotes that we want Apache to have read access to each listed directory. Also note that each rule has to end with a comma.
  • /srv/www/htdocs/ r, means that the listed directory itself has read access for Apache.
  • /srv/www.htdocs/* * r, the * * wildcards make this rule recursive. In other words, Apache can read all files in all subdirectories of this specified directory.
  • # mod_userdir if installed, this Apache module allows Apache to read web content files from a subdirectory that's within a user's home directory. The next two lines go along with that.
  • @{HOME}/public_html/ r, and @{HOME}/public_html/ r, the @{HOME} variable allows this rule to work with any user's home directory. (You'll see this variable defined in the /etc/apparmor.d/tunables/home file.)
  • Note that there's no specific rule that prohibits Apache from reading from other locations. It's just understood that anything that's not listed here is off-limits to the Apache web server daemon.

The tunables subdirectory contains files that have predefined variables. You can also use this directory to either define new variables or make profile tweaks:

donnie@ubuntu3:/etc/apparmor.d/tunables$ ls -l
total 56
-rw-r--r-- 1 root root  624 Mar 15  2017 alias
-rw-r--r-- 1 root root  376 Mar 15  2017 apparmorfs
-rw-r--r-- 1 root root  804 Mar 15  2017 dovecot
-rw-r--r-- 1 root root  694 Mar 15  2017 global
-rw-r--r-- 1 root root  983 Mar 15  2017 home
. . .
. . .
-rw-r--r-- 1 root root  440 Mar 15  2017 proc
-rw-r--r-- 1 root root  430 Mar 15  2017 securityfs
-rw-r--r-- 1 root root  368 Mar 15  2017 sys
-rw-r--r-- 1 root root  868 Mar 15  2017 xdg-user-dirs
drwxr-xr-x 2 root root 4096 Oct 29 15:02 xdg-user-dirs.d
donnie@ubuntu3:/etc/apparmor.d/tunables$

Space doesn't permit me to show you the details of how to write your own profiles from scratch; thanks to the suite of utilities that we'll look at in the next section, you might never need to do that. Still, just to give you a better understanding about how AppArmor does what it does, the following is a chart of some example rules that you might find in any given profile:

Rule Explanation
/var/run/some_program.pid rw,

The process will have read and write privileges for this process ID file.
/etc/ld.so.cache r,

The process will have read privileges for this file.
/tmp/some_program.* l,

The process will be able to create and delete links with the some_program name.
/bin/mount ux

The process has executable privileges for the mount utility, which will then run unconstrained. (Unconstrained means without an AppArmor profile.)

 

Now that you know about AppArmor profiles, let's look at some basic AppArmor utilities.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.218.238.134