The capability module will always be first, followed by any "minor" modules (e.g. Yama) and then
the one "major" module (e.g. SELinux) if there is one configured.
cat /sys/kernel/security/lsm
capability,yama,apparmor
Profiles 的作用
Profile 定義了一個 application 可以存取那裡的 files 及它可以做什麼
而限制分為
Complaining/Learning
Enforced/Confined
Profile types
Standard profiles
attached to a program by its name
(so a profile name must match the path to the application)
/usr/bin/foo {
...
}
Unattached profiles
Unattached profiles are never used automatically
apparmor module is loaded.
35 profiles are loaded.
12 profiles are in enforce mode.
/sbin/dhclient
/usr/bin/lxc-start
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/chromium-browser/chromium-browser//browser_java
..............
23 profiles are in complain mode.
/bin/ping
/sbin/klogd
/sbin/syslog-ng
97 processes have profiles defined.
97 processes are in enforce mode.
/usr/bin/lxc-start (2826)
/usr/bin/lxc-start (3528)
/usr/bin/lxc-start (30836)
/usr/sbin/libvirtd (13285)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
Enable Apparmor Onboot
vi /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT=" ... apparmor=1 security=apparmor" update-grub
reboot
Checking Apparmor status
aa-status
apparmor module is loaded. 72 profiles are loaded. 36 profiles are in enforce mode. /sbin/dhclient /usr/bin/irssi /usr/bin/lxc-start ...
找出未有 Profile 看管的 Proccess
status: enforced, complain, unconfined
complaining / learning mode (其實就是同一種 MODE,只是名稱不一樣)
會檢測到違反定義好的策略,准許違規行為並且記錄 Log
Enforced / Confined (其實就是同一種 MODE,只是名稱不一樣)
強制執行定義好的策略,不准許違規行為並且會記錄 Log
ps xZ | less
LABEL PID TTY STAT TIME COMMAND unconfined 1 ? Ss 0:05 /sbin/init ... nmbd (complain) 1318 ? Ss 0:25 /usr/sbin/nmbd --foreground --no-process-group Or
aa-unconfined
1 /lib/systemd/systemd (/sbin/init) not confined 862 /sbin/rpcbind not confined 1158 /usr/sbin/nmbd confined by 'nmbd (complain)' 1161 /usr/sbin/vsftpd not confined 1201 /usr/sbin/ntpd confined by '/usr/sbin/ntpd (enforce)' ...
Enable in Kernel config parameter
CONFIG_DEFAULT_SECURITY CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE CONFIG_DEFAULT_SECURITY_APPARMOR Compiling the Kernel with Apparmor
CONFIG_SECURITY_APPARMOR=y CONFIG_AUDIT=y Apparmor as the default security module
*grep CONFIG_DEFAULT_SECURITY= /boot/config-
CONFIG_DEFAULT_SECURITY="apparmor" OR CONFIG_DEFAULT_SECURITY="selinux"**
AppArmor to be enabled or disabled at boot.
*_grep CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE /boot/config-_**
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 *_grep CONFIG_DEFAULT_SECURITY_APPARMOR /boot/config-_**
CONFIG_DEFAULT_SECURITY_APPARMOR=y
LSM
A list of the active security modules
The capability module will always be first, followed by any "minor" modules (e.g. Yama) and then the one "major" module (e.g. SELinux) if there is one configured.
cat /sys/kernel/security/lsm
capability,yama,apparmor
Profiles 的作用
Profile 定義了一個 application 可以存取那裡的 files 及它可以做什麼
而限制分為
Profile types
/usr/bin/foo { ... }
profile /usr/bin/foo { ... }
查看現在情況
aa-status
apparmor module is loaded. 35 profiles are loaded. 12 profiles are in enforce mode. /sbin/dhclient /usr/bin/lxc-start /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/chromium-browser/chromium-browser//browser_java .............. 23 profiles are in complain mode. /bin/ping /sbin/klogd /sbin/syslog-ng 97 processes have profiles defined. 97 processes are in enforce mode. /usr/bin/lxc-start (2826) /usr/bin/lxc-start (3528) /usr/bin/lxc-start (30836) /usr/sbin/libvirtd (13285) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.
套用限制到一個 program
complain:
將一個 application (i.e. ping) 的 profile 設定成 complain mode
aa-complain /path/to/bin
把所有 profile 設定成 complain mode
aa-complain /etc/apparmor.d/*
enforce:
aa-enforce /path/to/bin
File permission access modes
combinations of the following modes
PS : Link mode
The link mode mediates access to hard links. When a link is created, the target file must have the same access permissions as the link created