Diff for "AppArmor/HowToUse"

Differences between revisions 59 and 60

Translation(s): none

This page describes how to use AppArmor on Debian.

Contents

Install AppArmor
Enable AppArmor
Inspect the current state
Find / install more profiles
Enabling profiles
Debug
Disable AppArmor
See also

Install AppArmor

AppArmor is available in Debian since Debian 7 "Wheezy".

Install AppArmor userspace tools:

apparmor
apparmor-utils
auditd (If you intend to use automatic profile generation tools)

Enable AppArmor

If you are using Debian 10 "Buster" or newer, AppArmor is enabled by default so you can skip this step.

Enable the AppArmor Linux Security Modules (LSM):

$ sudo mkdir -p /etc/default/grub.d
$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"' \
  | sudo tee /etc/default/grub.d/apparmor.cfg
$ sudo update-grub
$ sudo reboot

Inspect the current state

AppArmor profiles can be set to different modes:

complain mode: violations to the policy will only be logged
enforce mode: operations that violate the policy will be blocked.

Not that deny rules in profiles are enforced/blocked even in complain mode.

List all loaded AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined):

$ sudo aa-status

List running executables which are currently confined by an AppArmor profile:

$ ps auxZ | grep -v '^unconfined'

List of processes with tcp or udp ports that do not have AppArmor profiles loaded:

$ sudo aa-unconfined

Find / install more profiles

AppArmor profiles live in /etc/apparmor.d/. Some packages automatically install their own profiles in this directory. To find more profiles:

apparmor-profiles-extra provides and enables Debian-specific (not upstreamed) profiles.
apparmor-profiles provides various experimental profiles, and enables some by default.
Check the equivalent Ubuntu packages
Check newly submitted pacthes/profiles for AppArmor in Debian

Enabling profiles

Debian packages that install profiles to /etc/apparmor.d/ automatically enable them (complain mode). Other profiles need to be copied to this directory and manually set to complain or enforce mode.

For example to install an "extra" profile from the /usr/share/apparmor/extra-profiles/ directory provided by apparmor-profiles and set it to complain mode:

# list available profiles
$ ls /usr/share/apparmor/extra-profiles/

# install the profile
$ sudo cp /usr/share/apparmor/extra-profiles/usr.bin.example /etc/apparmor.d/

# set the profile to complain mode
sudo aa-complain /etc/apparmor.d/usr.bin.example

To set a profile to enforce mode, use aa-enforce instead of aa-complain. Beware though: many profiles are not up-to-date and will break functionality in enforce mode, be ready to debug!

Debug

AppArmor audit logs can be found in the systemd journal, in /var/log/syslog and /var/log/kern.log (and /var/log/audit.log when auditd is installed).

For more detailed instructions, please read the dedicated documentation for debugging AppArmor.

Disable AppArmor

Disable an individual profiles:

$ sudo aa-disable /etc/apparmor.d/usr.bin.example

Completely disable AppArmor on your system:

$ sudo mkdir -p /etc/default/grub.d
$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=0"' \
  | sudo tee /etc/default/grub.d/apparmor.cfg
$ sudo update-grub
$ sudo reboot

-  ⇤ ← Revision 59 as of 2020-01-31 20:14:15 → 
  Size: 4015
  Editor: nodiscc
  Comment: /var/log/kern.log
+   ← Revision 60 as of 2020-01-31 20:16:25 → ⇥
  Size: 4068
  Editor: nodiscc
  Comment: /var/log/audit.log
-Deletions are marked like this.
+Additions are marked like this.
 Line 100:
-!AppArmor audit logs can be found in the [[systemd]] journal, in `/var/log/syslog` or `/var/log/kern.log`.
+!AppArmor audit logs can be found in the [[systemd]] journal, in `/var/log/syslog` and `/var/log/kern.log` (and `/var/log/audit.log` when auditd is installed).