Professional Documents
Culture Documents
2)
Quick Start
1
a profile does not exist, genprof creates one using au- Finish
todep. Close logprof or YaST, saving all rule changes entered
logprof so far and modifying all profiles.
Manage AppArmor profiles. logprof is an interactive tool
used to review the learning or complain mode output Example Profile
found in the AppArmor syslog entries and to generate
new entries in AppArmor profiles. # a comment about foo.
unconfined /usr/bin/foo {
Output a list of processes with tcp or udp ports that do /bin/mount ux,
not have AppArmor profiles loaded. /dev/{,u}random r,
/etc/ld.so.cache r,
Methods of Profiling /etc/foo.conf r,
/etc/foo/* r,
Stand-Alone Profiling
/lib/ld-*.so* x,
Using genprof. Suitable for profiling small applications.
/lib/lib*.so* r,
Systemic Profiling /proc/[0-9]** r,
Suitable for profiling large numbers of programs all at /usr/lib/** r,
once and for profiling applications that may run “forev- /tmp/foo.pid wr,
er.” /tmp/foo.* lrw,
}
To apply systemic profiling, proceed as follows:
# a comment about foo's subprofile, bar.
1. Create profiles for the individual programs that /usr/bin/foo^bar {
make up your application (autodep). /lib/ld-*.so* x,
2. Put relevant profiles into learning or complain mode. /usr/bin/bar x,
3. Exercise your application. /var/spool/* rwl,
4. Analyze the log (logprof). }
5. Repeat Steps 3-4.
6. Edit the profiles.
Structure of a Profile
7. Return to enforce mode.
Profiles are simple text files in the /etc/subdomain.d
8. Rescan all profiles (rcsubdomain restart).
directory. They consist of several parts: #include, capability
entries, rules, and “hats.”
Learning Mode
When using genprof, logprof, or YaST in learning mode, #include
you get several options for how to proceed: This is the section of an AppArmor profile that refers to an
include file, which procures access permissions for programs.
Allow By using an include, you can give the program access to
Grant access. directory paths or files that are also required by other pro-
Deny grams. Using includes can reduce the size of a profile. It is
Prevent access. good practice to select includes when suggested.
Glob
Modify the directory path to include all files in the sug- To assist you in profiling your applications, AppArmor pro-
gested directory. vides two classes of #includes: abstractions and program
chunks.
Glob w/Ext
Modify the original directory path while retaining the
filename extension. This allows the program to access
Capability Entries (POSIX.1e)
all files in the suggested directories that end with the Capabilities statements are simply the word “capability”
specified extension. followed by the name of the POSIX.1e capability as defined
Edit in the capabilities(7) man page.
Enable editing of the highlighted line. The new (edited)
line appears at the bottom of the list. This option is called Rules: General Options for Files and
New in the logprof and genprof command line tools. Directories
Abort Option File Description
Abort logprof or YaST, losing all rule changes entered
read r
so far and leaving all profiles unmodified.
2
Option File Description Apache module mod-change-hat provides this function-
ality for the Apache2 Web server that ships with SLES 9 SP3.
write w
link l (necessary for delet- Helpful Additions
ing=unlink)
Subdomain.vim
Rules: Defining Execute Permissions Subdomain.vim colors:
For executables that may be called from the confined pro-
Blue
grams, the profile creating tools ask you for an appropriate
#include lines that pull in other Novell AppArmor rules
mode, which is also reflected directly in the profile itself:
and comments that begin with #
Option File Description White
Ordinary read access lines
Inherit ix Stay in the same (parent's) profile.
Brown
Profile px Requires that a separate profile Capability statements and complain flags
exists for the executed program.
Yellow
Uncon- ux Executes the program without a Lines that grant write access
strained profile. Avoid running programs Green
in unconstrained or unconfined Lines that grant execute permission (either ix or px)
mode for security reasons.
Red
Lines that grant unconfined access (ux)
Rules: Paths and Globbing
Red Background
Glob Description Syntax errors that are not loading properly into the
* Substitutes for any number of characters, AppArmor modules
except /.
Autodocumentation
** Substitutes for any number of characters,
including /. The tool “sitar” provided with SLES 9 SP 3 gathers all system
configuration information available from your system and
? Substitutes for any single character, ex- creates comprehensive system documentation. It can be
cept /. used to document all new and changed profiles.
[ abc ] Substitutes for the single character a, b,
or c. Logging and Auditing
[ a-c ] Substitutes for the single character a, b, All AppArmor events are logged using the system's syslog-
or c. interface. On top of this infrastructure, event notification
{ ab,cd } Expand to one rule to match ab and an- can be configured. Currently this feature should be config-
other to match cd. ured using YaST. It is based on severity levels according to
/etc/apparmor/severity.db. Notification frequency
Hats and type of notification (such as e-mail) can be configured.
An AppArmor profile represents a security policy for an Use YaST for generating reports in CSV or HTML format.
individual program instance or process. It applies to an ex-
ecutable program, but if a portion of the program needs Directories and Files
different access permissions than other portions, the pro-
gram can “change hats” to use a different security context, /subdomain/
distinctive from the access of the main program. This is Read access to the kernel module. Get the status of
known as a hat or subprofile. Subdomain or AppArmor.
/etc/apparmor/
A profile can have an arbitrary number of subprofiles, but Contains a number of configuration files for fine-tuning
there are only two levels: a subprofile cannot have sub- the behavior of AppArmor.
subprofiles. A subprofile is written as a separate profile and /etc/subdomain.d/
named as the containing profile followed by the subprofile
Location of profiles named with the convention of replac-
name, separated by a ^. Subprofiles must be stored in the
ing the / in paths with . (except for the root /) so pro-
same file as the parent profile.
files are easier to manage. For example, the profile for
The AppArmor ChangeHat feature requires an application the program /usr/sbin/ntpd is named usr.sbin
modification to call the change_hat function. The supplied .ntpd.
3
/etc/subdomain.d/abstractions/ /etc/subdomain.d/program-chunks/
Abstractions are #includes that are grouped by common Program chunks are access controls for specific programs
application tasks. These tasks include access to authenti- that a system administrator might want to control based
cation mechanisms, access to name service routines, on local site policy. Each chunk is used by a single pro-
common graphics requirements, and system accounting, gram.
for example, base, consoles, kerberosclient, perl, user-
mail, user-tmp, authentication, bash, and nameservice.
Copyright © 2006 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express
written consent of the publisher. Novell is a registered trademark of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective
owners. A trademark symbol (®, TM, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark.
Created by SUSE® with XSL-FO