A short guide to get you started on AppArmor
AppArmor is a linux security module that allows for path based mandatory access control. It’s easy to learn and very effective at both preventing and containing exploits. I suggest you make use of it.
This post is just a short crash course to get you set up and using apparmor.
We first need to install the apparmor-utils package.
sudo apt-get install apparmor-utils
Once it’s done installing you should be able to access these commands:
Let’s create our first profile. I’ll use pidgin.
# aa-autodep pidgin
This will create the pidign profile in complain mode. Complain mode will audit violations but not stop them.
Close (if open) pidgin and then open it up again. And then close it. Then run the command:
At this point you’ll be greeted with some of the “complaints” that were logged. Review and allow what’s needed.
r: r is read access
w: w is write access
a: a is limited write access (append)*
k: k allows the ability to lock a file
m: m lets a file be loaded into memory
x: allows execution
ix: executes the file under the constraints of the profile (inherit)
ux**: executes the file outside of the profile (unconfined)
Px**: executes the file in its own profile, which you will have to define (profile)
*not to be confused with allow. a is the rule, allow is a command that applies it via logprof.
**Capital P or U means that the environment is sanitized before executing the code. You want to sanitize whenever possible.
To test the profile out run:
# aa-enforce /etc/apparmor.d/usr.bin.pidgin
if it isn’t working still set it back to complain:
# aa-complain /etc/apparmor.d/usr.bin.pidgin
The first few times I set up a profile I ended up with a super convoluted mess. It was terrible. I wiped it, started over and actually *thought* before I hit “allow” or “inherit” and in very little time I was able to create many profiles for my programs.
Profiles are stored in /etc/apparmor.d/<path.path.path> so for pidgin it’s /etc/apparmor.d/usr.bin.pidgin. You can manually edit the profiles with a text editor. This is really simple and I suggest you have a look at a few profiles before you start.
1) Instead of aa-autodep you can try aa-genprof, which will try to build a partial profile for you.
2) Development profiles can be a great place to start. You can get them here:
3) Apparmor profiles can get complicated. Don’t bother trying to profile something like compiz, there’s no real point. A program like Pidgin or xchat is perfect though.
4) The “owner” tag is your friend. Sometimes you have to give a program really unruly access to your file system (/home/** rw). Using the “owner” tag means that (in the case of /home/** rw) the profiled program can only read/write to files that it has ownership of.