Differences between revisions 65 and 81 (spanning 16 versions)
Revision 65 as of 2020-01-31 20:58:07
Size: 5639
Editor: nodiscc
Comment: move desktop notificationsn from AppArmor/Debug
Revision 81 as of 2022-08-24 19:54:43
Size: 7070
Editor: TheAnarcat
Comment: more debugging
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: none-~ ~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: English - [[zh_CN/AppArmor/HowToUse|简体中文]]-~
Line 5: Line 5:
This page describes how to use '''AppArmor''' on Debian. This page describes how to use and troubleshoot '''AppArmor''' on Debian.
Line 43: Line 43:
Not that `deny` rules in profiles are enforced/blocked even in `complain` mode. Note that `deny` rules in profiles are enforced/blocked even in `complain` mode.
Line 78: Line 78:
 * Check newly [[https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-apparmor-team@lists.alioth.debian.org|submitted pacthes/profiles]] for !AppArmor in Debian  * Check newly [[https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-apparmor-team@lists.alioth.debian.org|submitted patches/profiles]] for !AppArmor in Debian
Line 117: Line 117:
The full log message should provide more information on what exact access has been denied. You can use this to tweak configs before turning them on in enforce mode. The full log message should provide more information on what exact access has been denied. You can use this to [[#Edit_AppArmor_profiles|edit profiles]] before turning them on in enforce mode.
Line 124: Line 124:
# after testing, re-enable it # after testing, re-enable it in complain mode
Line 126: Line 126:
# or
$ sudo aa-complain /etc/apparmor.d/usr.bin.example
# or in enforce mode
$ sudo aa-enforce /etc/apparmor.d/usr.bin.example
Line 130: Line 130:
==== Destop notifications === Note that systemd '''might still load the profile''' if you have `AppArmorProfile` setup in the unit file. Then the proper way to disable the profile then is to comment out that line in the unit file, or through a systemd override.

=== Desktop notifications ===
Line 134: Line 136:
* If [[DebianPkg:auditd]] is not installed, your user should be a member of the `adm` [[SystemGroups|Group]]
* If auditd is installed, `/etc/xdg/autostart/apparmor-notify.desktop` should be modified as `Exec=sudo aa-notify -p -f /var/log/audit/audit.log`
 * If [[DebianPkg:auditd]] is not installed, your user should be a member of the `adm` [[SystemGroups|Group]]
 * If auditd is installed, `/etc/xdg/autostart/apparmor-notify.desktop` should be modified as `Exec=sudo aa-notify -p -f /var/log/audit/audit.log`
Line 137: Line 139:
=== Dumping profiles ===
Line 138: Line 141:
=== Edit AppArmor profiles ===

Profiles can be edited with a [[TextEditor|text editor]]. Once a profile has been edited, reload the profile in the kernel with [[DebianMan:8/apparmor_parser|apparmor_parser(8)]]:
In [[https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorMonitoring|AppArmorMonitoring]], the upstream wiki has information on how to debug the parsing of actual profiles. The DebianMan:apparmor_parser command has many different tools for this. For example, this will dump the preprocessed profile, flattening all the `#include` parameters in a single stream:
Line 144: Line 144:
$ sudo apparmor_parser -r /etc/apparmor.d/usr.bin.example apparmor_parser --preprocess /etc/apparmor.d/usr.bin/man
Line 147: Line 147:
Restart the application and reverify logs. And this will do everything but loading the kernel, dumping the exact paths and settings passed into the kernel:
Line 149: Line 149:
{{{
apparmor_parser --skip-kernel-load --debug /etc/apparmor.d/usr.bin/man
}}}
Line 150: Line 153:
== Disable AppArmor == === Report bugs ===

If you've found a bug in an !AppArmor profile provided by a debian package, please [[AppArmor/Reportbug|report it]]

=== Disable AppArmor ===
Line 164: Line 171:
== Edit AppArmor profiles ==

You can find documentation on building your own profiles at '''[[AppArmor#External_links]]'''

Once a profile has been edited, reload the profile in the kernel with [[DebianMan:8/apparmor_parser|apparmor_parser(8)]]:

{{{
$ sudo apparmor_parser -r /etc/apparmor.d/usr.bin.example
}}}

Restart the application and reverify logs.

Note: the parser silently ignores rules that are not supported by the running kernel. To check which rules are actually enforced, pass the `--warn=rules-not-enforced --warn=rule-downgraded` options to `apparmor_parser`.





Translation(s): English - 简体中文

This page describes how to use and troubleshoot AppArmor on Debian.


Install AppArmor

AppArmor is available in Debian since Debian 7 "Wheezy".

Install AppArmor userspace tools:

Enable AppArmor

If you are using Debian 10 "Buster" or newer, AppArmor is enabled by default so you can skip this step.

The AppArmor Linux Security Modules (LSM) must be enabled from the linux kernel command line in the bootloader:

$ sudo mkdir -p /etc/default/grub.d
$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"' \
  | sudo tee /etc/default/grub.d/apparmor.cfg
$ sudo update-grub
$ sudo reboot

Inspect the current state

AppArmor profiles can be set to different modes:

  • complain mode: violations to the policy will only be logged

  • enforce mode: operations that violate the policy will be blocked.

Note that deny rules in profiles are enforced/blocked even in complain mode.

Find out if AppArmor is enabled (returns Y if true):

$ cat /sys/module/apparmor/parameters/enabled

List all loaded AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined):

$ sudo aa-status

List running executables which are currently confined by an AppArmor profile:

$ ps auxZ | grep -v '^unconfined'

List of processes with tcp or udp ports that do not have AppArmor profiles loaded:

$ sudo aa-unconfined
$ sudo aa-unconfined --paranoid

Find / install more profiles

AppArmor profiles live in /etc/apparmor.d/. Some packages automatically install their own profiles in this directory. To find more profiles:

Enabling profiles

Debian packages that install profiles to /etc/apparmor.d/ automatically enable them (complain mode). Other profiles need to be copied to this directory and manually set to complain or enforce mode.

For example to install an "extra" profile from the /usr/share/apparmor/extra-profiles/ directory provided by apparmor-profiles and set it to complain mode:

# list available profiles
$ ls /usr/share/apparmor/extra-profiles/

# install the profile
$ sudo cp /usr/share/apparmor/extra-profiles/usr.bin.example /etc/apparmor.d/

# set the profile to complain mode
sudo aa-complain /etc/apparmor.d/usr.bin.example

To set a profile to enforce mode, use aa-enforce instead of aa-complain. Beware though: many profiles are not up-to-date and will break functionality in enforce mode, be ready to debug!

Debug

AppArmor logs can be found in the systemd journal, in /var/log/syslog and /var/log/kern.log (and /var/log/audit.log when auditd is installed).

Diagnose if a bug might have been caused by AppArmor

Look in these logs for:

  • ALLOWED (logged when a profile in complain mode violates the policy)

  • DENIED (logged when a profile in enforce mode actually blocks an operation)

The full log message should provide more information on what exact access has been denied. You can use this to edit profiles before turning them on in enforce mode.

Sometimes, it's useful to disable a profile and to test again if the bug persists:

# disable a profile temporarily
$ sudo aa-disable /etc/apparmor.d/usr.bin.example
# after testing, re-enable it in complain mode
$ sudo aa-complain /etc/apparmor.d/usr.bin.example
# or in enforce mode
$ sudo aa-enforce /etc/apparmor.d/usr.bin.example

Note that systemd might still load the profile if you have AppArmorProfile setup in the unit file. Then the proper way to disable the profile then is to comment out that line in the unit file, or through a systemd override.

Desktop notifications

The apparmor-notify package provides desktop notifications (through aa-notify) when a policy violation occurs. The program should start automatically when you login.

  • If auditd is not installed, your user should be a member of the adm Group

  • If auditd is installed, /etc/xdg/autostart/apparmor-notify.desktop should be modified as Exec=sudo aa-notify -p -f /var/log/audit/audit.log

Dumping profiles

In AppArmorMonitoring, the upstream wiki has information on how to debug the parsing of actual profiles. The apparmor_parser command has many different tools for this. For example, this will dump the preprocessed profile, flattening all the #include parameters in a single stream:

apparmor_parser --preprocess /etc/apparmor.d/usr.bin/man

And this will do everything but loading the kernel, dumping the exact paths and settings passed into the kernel:

apparmor_parser --skip-kernel-load --debug /etc/apparmor.d/usr.bin/man

Report bugs

If you've found a bug in an AppArmor profile provided by a debian package, please report it

Disable AppArmor

AppArmor is a security mechanism and disabling it is not recommended. If you really need to disable AppArmor on your system:

$ sudo mkdir -p /etc/default/grub.d
$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=0"' \
  | sudo tee /etc/default/grub.d/apparmor.cfg
$ sudo update-grub
$ sudo reboot

Edit AppArmor profiles

You can find documentation on building your own profiles at AppArmor#External_links

Once a profile has been edited, reload the profile in the kernel with apparmor_parser(8):

$ sudo apparmor_parser -r /etc/apparmor.d/usr.bin.example

Restart the application and reverify logs.

Note: the parser silently ignores rules that are not supported by the running kernel. To check which rules are actually enforced, pass the --warn=rules-not-enforced --warn=rule-downgraded options to apparmor_parser.


CategorySystemSecurity