Linux Apparmor Security Tool

Managing resources with Apparmor

Controlling Resources with Apparmor


What is AppArmor? AppArmor is a security feature that can be found on many Linux distributions. SLES (SUSE Linux Enterprise Server), openSUSE and Ubuntu are some of the distributions that ship with this product. Apparmor is a kernel enhancement that aims to confine programs to a limited set of resources. What makes Apparmor different to other security tools is that it binds access control attributes to programs rather than to individual users.

Apparmor confinement is provided by special profiles which are loaded into the kernel. These profiles can run in two modes: "complain mode" or "enforce mode".



Complain Mode


Profiles loaded in this manner will not enforce policy. In this mode policy violations will be recorded. This profile is useful for developing profiles. The management of profiles in "complain mode" is carried out with the utilities "aa-complain" and "aa-enforce".


Enforce Mode


Profiles loaded in enforcement mode will result in their policy being enforced as per their profile.

Traditionally profiles are stored in the following location: "/etc/apparmor.d". Profiles stored under this location are stored with the following naming convention:

/usr/sbin/cupsd would be created as usr.sbin.cupsd


Example of "/etc/apparmor.d"



john@ubuntu1304:/etc/apparmor.d$ ls -l
total 80
drwxr-xr-x 3 root root 4096 Apr 15 08:35 abstractions
drwxr-xr-x 2 root root 4096 Apr 17 22:53 cache
drwxr-xr-x 2 root root 4096 Apr 15 08:33 disable
drwxr-xr-x 2 root root 4096 Dec  7 13:41 force-complain
-rw-r--r-- 1 root root  373 Apr  3 04:56 lightdm-guest-session
-rw-r--r-- 1 root root  461 Oct  1  2012 lightdm-remote-session-freerdp
-rw-r--r-- 1 root root  484 Oct  1  2012 lightdm-remote-session-uccsconfigure
drwxr-xr-x 2 root root 4096 Apr 15 08:35 local
-rw-r--r-- 1 root root 2234 Mar 14 21:20 sbin.dhclient
drwxr-xr-x 4 root root 4096 Apr 15 08:34 tunables
-rw-r--r-- 1 root root 5048 Feb 22 14:03 usr.bin.evince
-rw-r--r-- 1 root root 4380 Apr  4 21:13 usr.bin.firefox
-rw-r--r-- 1 root root 4843 Jan  9 22:21 usr.lib.telepathy
-rw-r--r-- 1 root root 4410 Apr 12 10:27 usr.sbin.cupsd
-rw-r--r-- 1 root root 1393 Nov 12 11:55 usr.sbin.rsyslogd
-rw-r--r-- 1 root root 1418 Aug 20  2012 usr.sbin.tcpdump 

The above profiles are all stored as plain text files.

Profiles are only applied to a process at the time of execution. A program that is already running will not pick up any enforcement until its process is restarted.


Viewing the status of AppArmor


To view the status of AppArmor, we can execute the following command:

as root: apparmor_status or on a Debian based system as sudo apparmor_status



john@ubuntu1304:/etc/apparmor.d$ sudo apparmor_status
apparmor module is loaded.
21 profiles are loaded.
21 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince-thumbnailer//sanitized_helper
   /usr/bin/evince//sanitized_helper
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
/usr/lib/i386-linux-gnu/lightdm-remote-session-freerdp/freerdp-session-wrapper
/usr/lib/i386-linux-gnu/lightdm-remote-session-freerdp/freerdp-session-wrapper//chromium_browser
/usr/lib/i386-linux-gnu/lightdm-remote-session-uccsconfigure/uccsconfigure-session-wrapper
/usr/lib/i386-linux-gnu/lightdm-remote-session-uccsconfigure/uccsconfigure-session-wrapper//chromium_browser
   /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser
   /usr/lib/telepathy/mission-control-5
   /usr/lib/telepathy/telepathy-*
   /usr/lib/telepathy/telepathy-*//sanitized_helper
   /usr/sbin/cupsd
   /usr/sbin/tcpdump
0 profiles are in complain mode.
3 processes have profiles defined.
3 processes are in enforce mode.
   /sbin/dhclient (785)
   /usr/lib/telepathy/mission-control-5 (1813)
   /usr/sbin/cupsd (522)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Here we can see that we have 3 processes defined and they are in "enforce mode".

Apparmor is also included by default with Ubuntu. By default Ubuntu contains some existing profiles that can be used, however, the most useful functionality is having the ability to create custom profiles of your own that will allow you to tail your permissions specifically to your needs.


Creating your Own Profiles in Apparmor


To create your own profile, you will need to run your program while Apparmor is monitoring. Here you will need to go through the functionality that would be classed as normal use of the program. This would include starting, stopping and any of the functions that you wish to be included as part of normal use.

For this example, I am going to create a copy of the "ls" binary program that is used to display files on your system. First we need to locate the binary using the "whereis" command:



john@ubuntu1304:/bin$ whereis ls
ls: /bin/ls /usr/share/man/man1/ls.1.gz

john@ubuntu1304:/bin$ sudo cp -p ls testls

john@ubuntu1304:/bin$ ls -l ls
-rwxr-xr-x 1 root root 108708 Jan 17 05:18 ls
john@ubuntu1304:/bin$ ls -l testls
-rwxr-xr-x 1 root root 108708 Jan 17 05:18 testls 

Install apparmor-utils


To start, you need to issue the following set of commands to install "apparmor-utils": sudo apt-get install apparmor-utils



Generating a profile with aa-genprof


The command used to generate a profile is "aa-genprof". You need to run this utility and supply the path to the program you wish to create a profile for:

sudo aa-genprof /path/to/binary (in our example /bin/testls would be the path to use)



john@ubuntu1304:/bin$ sudo aa-genprof /bin/testls
Writing updated profile for /bin/testls.
Setting /bin/testls to complain mode.

Before you begin, you may wish to check if a
profile already exists for the application you
wish to confine. See the following wiki page for
more information:
http://wiki.apparmor.net/index.php/Profiles

Please start the application to be profiled in
another window and exercise its functionality now.

Once completed, select the "Scan" button below in
order to scan the system logs for AppArmor events.

For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.

Profiling: /bin/testls

[(S)can system log for AppArmor events] / (F)inish 

When you see the above in your terminal you must leave aa-genprof running. You then need to start the program you wish to create a profile for. Next you need to run through the test plan you have decided upon. The more comprehensive your test plan, the less problems you will run into later. (Test all the available functions available to your program)

After you are done executing your test plan, return to your original terminal and press the S key to scan the system log for AppArmor events.

For each event recorded in the log, you will be prompted to choose an action : [(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts

At the end of the process, you will be asked to save your profile.



Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Complain-mode changes:

Profile:  /bin/testls
Path:     /etc/group
Mode:     r
Severity: 4

  1 - #include <abstractions/apache2-common>
  2 - #include <abstractions/lightdm>
  3 - #include <abstractions/nameservice>
 [4 - /etc/group]

[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts

Profile:  /bin/testls
Path:     /etc/passwd
Mode:     r
Severity: 4

  1 - #include <abstractions/apache2-common>
  2 - #include <abstractions/lightdm>
  3 - #include <abstractions/nameservice>
 [4 - /etc/passwd]

[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /etc/passwd r to profile.

Profile:  /bin/testls
Path:     /home/john/
Mode:     r
Severity: 4

  1 - /home/john/
 [2 - /home/*/]

[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /home/*/ r to profile.

= Changed Local Profiles =

The following local profiles were changed.  Would you like to save them?

 [1 - /bin/testls]

(S)ave Changes / [(V)iew Changes] / Abo(r)t
Writing updated profile for /bin/testls.

Profiling: /bin/testls

[(S)can system log for AppArmor events] / (F)inish


Setting /bin/testls to enforce mode.
Reloaded AppArmor profiles in enforce mode.

Please consider contributing your new profile! See
the following wiki page for more information:
http://wiki.apparmor.net/index.php/Profiles

Finished generating profile for /bin/testls. 

We can now see our profile has been added:



john@ubuntu1304:/bin$ sudo apparmor_status
apparmor module is loaded.
22 profiles are loaded.
22 profiles are in enforce mode.
   /bin/testls
   /sbin/dhclient
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince-thumbnailer//sanitized_helper
   /usr/bin/evince//sanitized_helper
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
/usr/lib/i386-linux-gnu/lightdm-remote-session-freerdp/freerdp-session-wrapper
/usr/lib/i386-linux-gnu/lightdm-remote-session-freerdp/freerdp-session-wrapper//chromium_browser
/usr/lib/i386-linux-gnu/lightdm-remote-session-uccsconfigure/uccsconfigure-session-wrapper
/usr/lib/i386-linux-gnu/lightdm-remote-session-uccsconfigure/uccsconfigure-session-wrapper//chromium_browser
   /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser
   /usr/lib/telepathy/mission-control-5
   /usr/lib/telepathy/telepathy-*
   /usr/lib/telepathy/telepathy-*//sanitized_helper
   /usr/sbin/cupsd
   /usr/sbin/tcpdump
0 profiles are in complain mode.
4 processes have profiles defined.
4 processes are in enforce mode.
   /sbin/dhclient (785)
   /usr/lib/telepathy/mission-control-5 (1813)
   /usr/sbin/cupsd (522)
   /usr/sbin/cupsd (2508)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined. 

Enabling Complain Mode and Tweaking your Profile


After creating your profile, you need to put your profile into complain mode. Complain Mode is where AppArmor does not restrict the actions it can take but instead logs any restrictions that would otherwise occur:

sudo aa-complain /path/to/binary



john@ubuntu1304:/bin$ sudo aa-complain /bin/testls
Setting /bin/testls to complain mode. 

Once in "Complain Mode", use the program normally for a while. After using it normally in complain mode, run the following command to scan your system logs for errors and update your profile: sudo aa-logprof



john@ubuntu1304:/bin$ sudo aa-logprof
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Complain-mode changes:

Profile:  /bin/testls
Path:     /bin/
Mode:     r
Severity: unknown


  1 - #include <abstractions/lightdm>
 [2 - /bin/]

[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts

Adding /bin/ r to profile.

Profile:  /bin/testls
Path:     /home/
Mode:     r
Severity: 4

 [1 - /home/]

[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /home/ r to profile.

Profile:  /bin/testls
Path:     /usr/sbin/
Mode:     r
Severity: unknown


  1 - #include <abstractions/lightdm>
 [2 - /usr/sbin/]

[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts

= Changed Local Profiles =

The following local profiles were changed.  Would you like to save them?

 [1 - /bin/testls]

(S)ave Changes / [(V)iew Changes] / Abo(r)t
Writing updated profile for /bin/testls. 

For test purposes, I chose to select "Deny" for the directory "/usr/sbin". We will see what the impact of this choice a little later.


Using Enforce Mode to Lock Down the Application


After you have finished adjusting your AppArmor profile, you will need to enable enforce mode to lock down your application:

sudo aa-enforce /path/to/binary



john@ubuntu1304:/bin$ sudo aa-enforce /bin/testls
Setting /bin/testls to enforce mode.

Now that we have enforced our policy for "testls", we can run our test:



john@ubuntu1304:/bin$ testls /usr/sbin
testls: cannot open directory /usr/sbin: Permission denied 

We can now see that by choosing the "Deny" option earlier has blocked the "testls" command from running against the directory "/usr/sbin"

If we take a look at the actual profile that was created, we can see that it has the denied option:



john@ubuntu1304:/etc/apparmor.d$ cat bin.testls
# Last Modified: Fri May 10 22:18:20 2013
#include <tunables/global>

/bin/testls {
  #include <abstractions/base>


  deny /usr/sbin/ r,

  /bin/ r,
  /bin/testls mr,
  /etc/group r,
  /etc/nsswitch.conf r,
  /etc/passwd r,
  /home/ r,
  /home/*/ r,

}

The easiest way to learn about Apparmor and its functionality is to create a test profile and modify it to see what results you get. As always, you can issue the command man apparmor in your terminal for more information.