Differences between revisions 1 and 62 (spanning 61 versions)
Revision 1 as of 2012-05-11 15:40:30
Size: 854
Editor: ?IntRigeri
Comment: Initial instructions draft.
Revision 62 as of 2020-01-31 20:28:20
Size: 5018
Editor: nodiscc
Comment: move info from AppArmor/Debug
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
Install AppArmor userspace tools and some contributed profiles: ## page was renamed from AppArmor/HowTo
#language en
~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: none-~

This page describes how to use '''AppArmor''' on Debian.

<<TableOfContents>>

----

== Install AppArmor ==

!AppArmor is available in Debian since Debian 7 "Wheezy".

[[PackageManagement#Installing.2C_removing.2C_upgrading_software|Install]] !AppArmor userspace tools:

 * [[DebianPkg:apparmor]]
 * [[DebianPkg:apparmor-utils]]
 * [[DebianPkg:auditd]] (If you intend to use automatic profile generation tools)

== Enable AppArmor ==

If you are using Debian 10 "Buster" or newer, AppArmor is enabled by default so you can skip this step.

The !AppArmor Linux Security Modules (LSM) must be enabled from the linux kernel command line in the bootloader:
Line 4: Line 28:
$ sudo apt-get install apparmor apparmor-profiles apparmor-utils
}}}

Ena
ble the AppArmor LSM:

{{{

$ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub
$ sudo mkdir -p /etc/default/grub.d
$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"' \
  | sudo tee
/etc/default/grub.d/apparmor.cfg
Line 15: Line 35:
See what running executable is currently confined by an AppArmor profile:
== Inspect the current state ==

!AppArmor profiles can be set to different modes:

 * `complain` mode: violations to the policy will only be logged
 * `enforce` mode: operations that violate the policy will be blocked.

Not that `deny` rules in profiles are enforced/blocked even in `complain` mode.

Find out if !AppArmor is enabled (returns Y if true):

{{{
$ cat /sys/module/apparmor/parameters/enabled
}}}

List all loaded !AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined):

{{{
$ sudo aa-status
}}}

List running executables which are currently confined by an !AppArmor profile:
Line 21: Line 63:
One place to find more profiles is [[http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=new-profile;users=apparmor@packages.debian.org|the patches, with new profiles included, that were submitted to Debian]]. List of processes with tcp or udp ports that do not have !AppArmor profiles loaded:
Line 23: Line 65:
Once you've dropped the new profile into `/etc/apparmor.d/`, use `apparmor_parser(8)` to insert it into the kernel. {{{
$ sudo aa-unconfined
$ sudo aa-unconfined --paranoid
}}}
Line 25: Line 70:
AppArmor audit logs can be found in `/var/log/kern.log`.
== Find / install more profiles ==

!AppArmor profiles live in `/etc/apparmor.d/`. Some packages automatically install their own profiles in this directory. To find more profiles:

 * [[DebianPkg:apparmor-profiles-extra]] provides and enables Debian-specific (not upstreamed) profiles.
 * [[DebianPkg:apparmor-profiles]] provides various experimental profiles, and enables some by default.
 * Check the equivalent [[https://packages.ubuntu.com/search?keywords=apparmor-profiles|Ubuntu packages]]
 * Check newly [[https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-apparmor-team@lists.alioth.debian.org|submitted pacthes/profiles]] for !AppArmor in Debian


== Enabling profiles ==

Debian packages that install profiles to `/etc/apparmor.d/` automatically enable them (`complain` mode). Other profiles need to be copied to this directory and manually set to `complain` or `enforce` mode.


For example to install an "extra" profile from the `/usr/share/apparmor/extra-profiles/` directory provided by [[DebianPkg:apparmor-profiles]] and set it to `complain` mode:


{{{
# list available profiles
$ ls /usr/share/apparmor/extra-profiles/

# install the profile
$ sudo cp /usr/share/apparmor/extra-profiles/usr.bin.example /etc/apparmor.d/

# set the profile to complain mode
sudo aa-complain /etc/apparmor.d/usr.bin.example
}}}



To set a profile to enforce mode, use `aa-enforce` instead of `aa-complain`. '''Beware''' though: many profiles are not up-to-date and will break functionality in enforce mode, be ready to [[#Debug|debug]]!


== Debug ==

!AppArmor '''logs''' can be found in the [[systemd]] journal, in `/var/log/syslog` and `/var/log/kern.log` (and `/var/log/audit.log` when auditd is installed).

For more detailed instructions, please read the dedicated documentation for [[AppArmor/Debug|debugging AppArmor]].


=== Diagnose if a bug might have been caused by AppArmor ===

Look in these logs for `ALLOWED` (logged when a profile in `complain` mode violates the policy) and `DEBINED` (logged when a profile in `enforce` mode actually blocks an operation). The full log message should provide more information on what exact access has been denied. You can use this to tweak configs before turning them on in enforce mode.

Sometimes, it's useful to disable a profile and to test again if the bug persists:

{{{
# disable a profile temporarily
$ sudo aa-disable /etc/apparmor.d/usr.bin.example
# after testing, re-enable it
$ sudo aa-complain /etc/apparmor.d/usr.bin.example
# or
$ sudo aa-complain /etc/apparmor.d/usr.bin.example
}}}


== Disable AppArmor ==

Disable an individual profiles:

{{{
$ sudo aa-disable /etc/apparmor.d/usr.bin.example
}}}

Completely disable AppArmor on your system:

{{{
$ sudo mkdir -p /etc/default/grub.d
$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=0"' \
  | sudo tee /etc/default/grub.d/apparmor.cfg
$ sudo update-grub
$ sudo reboot
}}}


== See also ==

 * [[DebianMan:8/apparmor_parser|apparmor_parser(8)]] manpage


----

CategorySystemSecurity

Translation(s): none

This page describes how to use AppArmor on Debian.


Install AppArmor

AppArmor is available in Debian since Debian 7 "Wheezy".

Install AppArmor userspace tools:

Enable AppArmor

If you are using Debian 10 "Buster" or newer, AppArmor is enabled by default so you can skip this step.

The AppArmor Linux Security Modules (LSM) must be enabled from the linux kernel command line in the bootloader:

$ sudo mkdir -p /etc/default/grub.d
$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"' \
  | sudo tee /etc/default/grub.d/apparmor.cfg
$ sudo update-grub
$ sudo reboot

Inspect the current state

AppArmor profiles can be set to different modes:

  • complain mode: violations to the policy will only be logged

  • enforce mode: operations that violate the policy will be blocked.

Not that deny rules in profiles are enforced/blocked even in complain mode.

Find out if AppArmor is enabled (returns Y if true):

$ cat /sys/module/apparmor/parameters/enabled

List all loaded AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined):

$ sudo aa-status

List running executables which are currently confined by an AppArmor profile:

$ ps auxZ | grep -v '^unconfined'

List of processes with tcp or udp ports that do not have AppArmor profiles loaded:

$ sudo aa-unconfined
$ sudo aa-unconfined --paranoid

Find / install more profiles

AppArmor profiles live in /etc/apparmor.d/. Some packages automatically install their own profiles in this directory. To find more profiles:

Enabling profiles

Debian packages that install profiles to /etc/apparmor.d/ automatically enable them (complain mode). Other profiles need to be copied to this directory and manually set to complain or enforce mode.

For example to install an "extra" profile from the /usr/share/apparmor/extra-profiles/ directory provided by apparmor-profiles and set it to complain mode:

# list available profiles
$ ls /usr/share/apparmor/extra-profiles/

# install the profile
$ sudo cp /usr/share/apparmor/extra-profiles/usr.bin.example /etc/apparmor.d/

# set the profile to complain mode
sudo aa-complain /etc/apparmor.d/usr.bin.example

To set a profile to enforce mode, use aa-enforce instead of aa-complain. Beware though: many profiles are not up-to-date and will break functionality in enforce mode, be ready to debug!

Debug

AppArmor logs can be found in the systemd journal, in /var/log/syslog and /var/log/kern.log (and /var/log/audit.log when auditd is installed).

For more detailed instructions, please read the dedicated documentation for debugging AppArmor.

Diagnose if a bug might have been caused by AppArmor

Look in these logs for ALLOWED (logged when a profile in complain mode violates the policy) and DEBINED (logged when a profile in enforce mode actually blocks an operation). The full log message should provide more information on what exact access has been denied. You can use this to tweak configs before turning them on in enforce mode.

Sometimes, it's useful to disable a profile and to test again if the bug persists:

# disable a profile temporarily
$ sudo aa-disable /etc/apparmor.d/usr.bin.example
# after testing, re-enable it
$ sudo aa-complain /etc/apparmor.d/usr.bin.example
# or
$ sudo aa-complain /etc/apparmor.d/usr.bin.example

Disable AppArmor

Disable an individual profiles:

$ sudo aa-disable /etc/apparmor.d/usr.bin.example

Completely disable AppArmor on your system:

$ sudo mkdir -p /etc/default/grub.d
$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=0"' \
  | sudo tee /etc/default/grub.d/apparmor.cfg
$ sudo update-grub
$ sudo reboot

See also


CategorySystemSecurity