AppArmor

AppArmor

AppArmor is what is called a mandatory access control MAC mechanism, it acts by establishing a series of restrictions on the resources that can be accessed by the different applications it controls. It was born as an external development promoted by Novell, and only distributions such as openSUSE or SUSE Linux Enterprise started benefiting from it. Today it is part of the Linux kernel, since Canonical proposed it for integration in the main branch, in version 2.6.36.

Today it is integrated by default in most of the distributions, such as Ubuntu, which can be said to have integrated it practically since its beginnings, as well as all its derivatives, or Debian, which in this case has joined later, and has been enabled since Debian 10. Other distros such as Fedora or RHEL, do not come with it, but because traditionally they have always bet on SELinux, a system with a similar approach, although much more complex to manage.

AppArmor is loaded, with all its profiles, in the kernel during the boot, if we want to verify that it is correctly enabled in the system we execute the following command, which will return Yes if it is active:

sudo aa-enabled

If we want to see more details of the status of this tool we execute:

sudo aa-status

AppArmor has specific profiles for each of the applications it controls, which would be the equivalent of SELinux policies. However, AppArmor’s profiles are significantly easier to understand and configure, resulting in a more user-friendly system. AppArmor does not have attributes like SELinux, and the way it recognizes a program is through its path. Thus, each AppArmor profile points to a specific path, and details what actions the executable behind this path is allowed to perform.

Profiles:

AppArmor profiles are loaded into the kernel itself during boot, and can be run in two main modes: enforce and complain.

  • enforce: in this mode a forced enforcement of the defined policy is performed and any violation attempt is reported via syslog or auditd.
  • complain: this mode does not enforce the policy, but reports any attempted violation.

To switch the profile between enforce and complain we must install the apparmor-utils package:

sudo apt install apparmor-utils

Each application is assigned an AppArmor profile; each implementation of this tool comes by default with a specific number of profiles, but more profiles are being added all the time. In addition, many applications, when installed, are already configured to create their own AppArmor profile. For applications that do not yet have a specific profile, you can create your own profile yourself, although you must take into account that if the program is not prepared, it is possible that it may present errors in its execution.

To create a specific profile for an application, we do it by means of the command:

sudo aa-genprof <app-path>

Where the <app-path> is the file path to the application that you want to profile. The default application folder is /usr/bin, but it could be different depending on the application.


Profile Assignment:

To set a profile that is loaded in complain mode to be loaded in enforce mode, you can run:

sudo aa-enforce <profile-path>

We can also change a profile from enforce mode to complain mode by executing:

sudo aa-complain <profile-path>

AppArmor profiles are usually located in the etc/apparmor.d/ path, to see a list of all existing profiles we can run:

sudo ls /etc/apparmor.d

To examine a specific profile we can execute the command:

sudo cat /etc/apparmor.d/<profile-name>

If you want more information about this amazing tool you can visit the official page.