Apparmor Overview

tags: apparmor,安全

{% youtube %}
https://www.youtube.com/watch?v=KYM-Dzivnjs
{% endyoutube %}

1. 简介

AppArmor 是类似于 Linux Mandatory access control of the security system (MAC).AppArmor Limit a single program to a set of files、功能、Network access and restrictions,collectively referred to as the program AppArmor 策略,Or simply a configuration file.New or modified policies can be applied to a running system without rebooting.AppArmor Designed by presenting its configuration files in an administrator friendly language,Make it easy to understand and use for most common needs.
AppArmor The restrictions are optional,Therefore some programs on the system may be restricted,Other programs don't.Selective restrictions allow administrators the flexibility to shut down problematic profiles for troubleshooting,Also restrict other parts of the system.
Unrestricted programs are standard Linux 自由访问控制 (DAC) run under safety.AppArmor Enhanced tradition DAC,Because first of all in tradition DAC Under Assessment Restricted Programs,如果 DAC 允许该行为,then consult AppArmor 策略.
AppArmor Learning by profile is supported（投诉）模式,to help users write and maintain policies.Learning mode allows profiles to be created by running the program normally and learning its behavior.在 AppArmor After fully understanding the behavior,Profiles may go to enforcing mode.Although the generated configuration files may be more permissive than handcrafted configuration files tailored for specific environments and applications,But learning mode can greatly reduce usage AppArmor The amount of work and knowledge required,And add an important layer of security.

2. 版本

AppArmor 有两个主要版本,即 2.x 系列（当前）和 3.x 系列（开发）.2.x Series has seen incremental improvements over its life cycle,It's just a gradual break in semantic compatibility.3.x 系列是 AppArmor major expansion.Both main series use the same basic strategy language,There are only subtle semantic differences.3.x Series allows for more extended policies and fine-grained control.

3. 包含 AppArmor 的发行版

• Annvix
• Arch Linux, documentation and Arch specific notes
• CentOs, documentation and CentOS specific notes
• Debian, documentation and Debian specific notes
• Gentoo
• openSUSE (integrated in default install), documentation and Suse specific notes
• Pardus Linux
• PLD
• Ubuntu (integrated in default install), documentation and Ubuntu specific notes

Any derivatives of these distributions should also have AppArmor 可用.更新的 RPMS可以在openSUSE 构建服务中找到.These are not limited SUSE 发行版.

4. 源代码

AppArmor The project source code is divided into kernel modules（在 Linux 内核和 git available in the development tree）and userspace tools available in launchpad.

4.1 Kernel

AppArmor 在 2.6.36 in the upstream kernel.内核模块 git Earlier versions are available in the tree：

• 如何获取 AppArmor 内核源
• 注意：master 分支不稳定,Will be from time to timerebase.The release branch will be stable,will not be repositioned.

AppArmor v2.4 Compatibility patches are available in stable kernel branches.例如 v3.4-aa2.8 或 kernel-patches distribution in the directory tarball.

4.2 Userspace

• 当前稳定版本：3.0.6
• 支持的版本：2.13.6
• 支持的版本：2.12.3
• 支持的版本：2.11.3
• End-of-life releases：2.10.6
• 用户空间工具
  如何获取 AppArmor 用户空间工具

5. AppArmor 配置文件

开发 AppArmor 配置文件位于 Bazaar 存储库中.Install the distribution Bazaar 软件包后,They can be downloaded using the following command：

 git clone git://git.launchpad.net/apparmor-profiles

Find the subdirectory that matches your distribution and version,And look inside for the various configuration files currently under development.You can do this by copying the config file to /etc/apparmor.d 并重新启动 AppArmor 来使用配置文件：

$ /etc/init.d/apparmor restart
 restart apparmor     # if upstart is being used, with initscripts that have been fully updated to support upstart

How to create or modify AppArmor 配置文件

• Create and modify using tools AppArmor 策略
• Created and modified manually AppArmor 策略
• AppArmor 文档

6. 命令

AppArmor 手册
Ubuntu Profile enforcement:

• apparmor_parser：将 AppArmor The configuration file is loaded into the kernel
• aa-audit：将 AppArmor The security profile is set to audit mode
• aa-enforce：设置 AppArmor The security profile is disabled in enforcing mode or complaining mode.
• aa-complain：将 AppArmor The security profile is set to complain mode

Ubuntu Monitoring tools:

• aa-status：Displays information about the current AppArmor Various information on strategies
• aa-notify：Show related records AppArmor 消息的信息
• aa-unconfined：输出带有 tcp 或 udp 端口​​但没有 AppArmor The list of processes that have the config file loaded

Ubuntu Profile development:

• aa-autodep：Guess the basics AppArmor 配置文件要求
• aa-logprof：用于更新 AppArmor Utilities for security profiles
• aa-genprof：AppArmor configuration file generation utility
• mod_apparmor：Apache 的细粒度 AppArmor 限制
• aa_change_hat
• aa_change_profile：Change the task profile
• PAM plugin：Can be used to attach profiles based on authentication done at the user or task level

7. 教程

• Create and modify using tools AppArmor 策略
• Created and modified manually AppArmor 策略
• 将 mod_apparmor 与 Apache used together to limit Web 应用程序- DRAFT
• 使用 AppAmor 和 libvirt to limit virtual machines
• 将 AppArmor 与 PAM Integrate to implement login-based policies
• 使用 AppArmor 进行基于角色的访问控制 (RBAC) - 草稿
• 使用 AppArmor Achieve multi-level security (MLS) - DRAFT
• 使用 AppArmor Restricted and controlled passage wine 运行的 Windows 应用程序- DRAFT
• Use the full system policy- DRAFT
• 如何在 systemd 中使用 AppArmor - DRAFT

参考：

• AppArmor
• AppArmor Documentation