当前位置：网站首页>Getting started with kubernetes apparmor

Getting started with kubernetes apparmor

2022-08-09 05:54:00 【ghostwritten】

apparmor 入门

tags: apparmor,安全

文章目录

apparmor 入门

1. 介绍

AppArmor is name-based access control Linux 安全模块实现.AppArmor Limit a single program to a set of listed files and posix 1003.1e Draft function.

有关 AppArmor 的更多信息可以在 AppArmor 项目的wiki上找到.

2. 安装

自 Ubuntu 8.04 LTS It is installed and loaded by default AppArmor.Some packages will install their own mandatory profiles.可以在 Universe Repository packagesapparmor-profilesAdditional configuration files are found in .针对已安装的 apparmor When the configuration file is submitted incorrectly,请参阅：https /wiki.ubuntu.com/DebuggingApparmor

安装额外的 AppArmor 配置文件

启用 Universe 存储库.
安装apparmor-profiles.Click the link to install,或查看安装软件Learn more about installation options.

3. 用法

All the following commands should be executed from the terminal.

3.1 列出 apparmor 的当前状态

sudo aa-status

3.2 Put personal data in complaint mode

sudo aa-complain /path/to/bin

例子：

sudo aa-complain /bin/ping

3.3 Put the configuration file in enforcing mode

sudo aa-enforce /path/to/bin

例子：

sudo aa-enforce /bin/ping

3.4 禁用 AppArmor 框架

The system usually does not need to be completely disabled AppArmor.It is strongly recommended that users enable it AppArmor and put the problematic profile in complain mode（见上文）,然后使用https://wiki.ubuntu.com/DebuggingApparmorThe program submits an error in .Disable if necessary AppArmor（例如使用 SELinux）,用户可以：

sudo systemctl stop apparmor
sudo systemctl disable apparmor

在 Ubuntu 16.04 LTS 之前的 Ubuntu 系统上：

sudo invoke-rc.d apparmor stop
sudo update-rc.d -f apparmor remove

To be disabled in the kernel AppArmor,请执行以下任一操作：

Adjust your kernel boot command line（见/etc/default/grub)
‘apparmor=0’
‘security=XXX’ 其中 XXX 可以是 “” 以禁用 AppArmor 或替代 LSM 名称,例如.‘安全=“selinux”’

Remove the garment package using your package manager.If you think you might want to re-enable it later AppArmor,请不要“清除”apparmor

3.5 启用 AppArmor 框架

AppArmor 默认启用.If you use the above process,要禁用它,You can re-enable it in the following ways：

确保 AppArmor 未在/etc/default/grub如果使用 Ubuntu 内核,或者使用非 Ubuntu
内核,那么/etc/default/grub 有apparmor=1security=apparmor
Make sure the garment is installed with the package
启用 systemd 单元：sudo systemctl enable apparmor && sudo systemctl start apparmor
对于 Ubuntu 16.04 LTS 之前的系统：

sudo invoke-rc.d apparmor start
sudo update-rc.d apparmor start 37 S .

3.6 重新加载所有配置文件

sudo service apparmor reload

3.7 Reload a configuration file

sudo apparmor_parser -r /etc/apparmor.d/profile.name

例子：

sudo apparmor_parser -r /etc/apparmor.d/bin.ping

3.8 Disable a profile

sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/profile.name

例子：

sudo ln -s /etc/apparmor.d/bin.ping /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/bin.ping

3.9 Enable a profile

默认情况下,Profile is enabled（i.e. loaded into the kernel and applied to the process）.

sudo rm /etc/apparmor.d/disable/profile.name
sudo apparmor_parser -r /etc/apparmor.d/profile.name

例子：

sudo rm /etc/apparmor.d/disable/bin.ping
sudo apparmor_parser -r /etc/apparmor.d/bin.ping

这 aa-enforceCommands can also be used to enable profiles：

sudo aa-enforce /etc/apparmor.d/bin.ping

配置文件定制
配置文件可以在/etc/apparmor.d中找到.These are simple text files,You can use a text editor or use aa-logprof进行编辑.

可以在/etc/apparmor.d/tunables/中进行一些自定义.更新配置文件时,It is important to use these configuration files when appropriate.例如,Instead of using the following rules：

 /home/*/ r,

利用：

  @{
    HOME}/ r,

更新配置文件后,Be sure to reload（见上文）.

4. 常问问题

4.1 aa-status Reports processes that are unrestricted but have defined profiles

Restart the listed processes.A restart will also fix the problem.

AppArmor Only processes started after the kernel module is loaded can be tracked and secured.安装 apparmor 软件包后,apparmor 将启动.But running processes are not affected AppArmor 的保护.Restarting the process or rebooting will fix the problem.

4.2 如何为 Firefox 启用 AppArmor？

从 Ubuntu 9.10 (Karmic) 开始,AppArmor Comes with one disabled by default Firefox 配置文件.

You can enable it with the following command：

sudo aa-enforce /etc/apparmor.d/usr.bin.firefox

4.3 如何使 AppArmor and non-standard HOME directories work together？

可以在/etc/apparmor.d/tunables/homeAdjust the location of the home directory in .

使用 Ubuntu 10.04 LTS 及更高版本,您可以使用sudo dpkg-reconfigure apparmorSet the home directory location.

5. 创建新配置文件

设计测试计划
Try to think about how the application should be executed.The test plan should be divided into small test cases.Each test case should have a short description and list the steps to follow.

Some standard test cases are：

启动程序
停止程序
重新加载程序
测试初始化All commands supported by the script

for graphics programs,Your test cases should also include anything you normally do.Download and open files、保存文件、上传文件、使用插件、It is possible to save configuration changes and start other programs.