small070 commented 1 year ago

**所有 profile 都存放在 /etc/apparmor.d 內, 並且會自動載入

而被限制的 application 的路徑會以 "." 取代 "/" 表示**

/etc/apparmor.d/bin.ping 相當於 /bin/ping

apparmor_parser

apparmor_parser - loads AppArmor profiles into the kernel

add a profile:

cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a

-a, --add <-- default action

To reload a profile:

cat /etc/apparmor.d/profile.name | apparmor_parser -r

OR

apparmor_parser -r /etc/apparmor.d/lxc-containers

-r, --replace

全部 reload: <-- 非必要時勿用

service apparmor reload

Disable a profile:

[方式1] aa-disable

aa-disable

aa-disable /path/to/profiles

[方式2]

Step1 - Remove the AppArmor profile from the kernel (Temporarily)

-R, --remove

apparmor_parser -R /etc/apparmor.d/profile.name

Step2 - Disable the profile file (Permanent)

ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/

i.e.

停用 smbd 的 profile

aa-status | grep smbd # smbd 有被 apparmor 保護

smbd ls /etc/apparmor.d/ | grep smbd # 找出 profile 名稱

usr.sbin.smbd apparmor_parser -R /etc/apparmor.d/usr.sbin.smbd

ln /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/disable/

測試

aa-status | grep smbd

apparmor_parser -r /etc/apparmor.d/usr.sbin.smbd

Skipping profile in /etc/apparmor.d/disable: usr.sbin.smbd

Profile Example

/etc/apparmor.d/bin.ping

#include <tunables/global>
/bin/ping flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>

  capability net_raw,
  capability setuid,
  network inet raw,

  /bin/ping mixr,                           <--- read and execute access
  /etc/modules.conf r,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/bin.ping>
}

Syntax:

Comment

"#" introduces a comment, "#include" will include

Include

include "ABS PATH" |

"MAGIC PATH" relative to /etc/apparmor.d/

Variables

any variable assignments must be made before the start of the profile

i.e.

@{TFTP_DIR}=/var/tftp /srv/tftpboot
Build-in variable

@{PROC}    /proc
@{sys}     /sys

Rules

Capability Rules (ie. capability sys_nice)
Network Rules (ie. network tcp)
Mount Rules (ie. mount options in (ro,noatime) /dev/foo -> /mnt/)
Signal rules
DBus rules
Link rules
Unix socket rules
change_profile rules
rlimit rules (ie. set rlimit nproc <= 10,)

Globbing

* # can substitute for any number of characters, excepting '/'
** # can substitute for any number of characters, including '/'
? # can substitute for any single character excepting '/'
[abc]
[a-c]
[^a-c]
{ab,cd}

directory the pathname being looked up will end with a slash

/tmp/*           Files directly in /tmp.
/tmp/*/          Directories directly in /tmp.
/tmp/**          Files and directories anywhere underneath /tmp.
/tmp/**/         Directories anywhere underneath /tmp.

其他可用的 profile:

http://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/files

Application 的支援情況:

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles

Logs

If the userland auditd is not running, the kernel will send audit events to klogd; klogd will send the messages to syslog which will log the messages with the KERN facility

AppArmor audit logs can be found in /var/log/kern.log

complain mode:

PERMITTING
REJECTING

enforcement:

no log

受限制的 application:

ps auxZ

LABEL                     USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME C  OMMAND
unconfined                root         1  0.0  0.0  24468  1940 ?        Ss   Feb25   0:02 /  sbin/init
lxc-container-default     root      3643  0.0  0.0   1688   252 pts/10   Ss+  Feb25   0:00 /  sbin/mingetty tty4

unconfined = 沒有被 apparmor 限制

建立 Profile aa-genprof executable

small070 commented 1 year ago