Intro to Ubuntu Apparmor and How to Configure Apparmor Profiles

AppArmor is a Mandatory Access Control or MAC system.

It uses Linux Security Module to restrict programs. AppArmor sets up a collection of default application profiles to protect Linux services.

You can also protect any other applications running on your system by creating profile files yourself.

In Ubuntu, AppArmor is installed and enabled by default. The apparmor profiles get loaded when system starts.

AppArmor operates in the following two types of profile modes:

1. Enforce – In the enforce mode, system begins enforcing the rules and report the violation attempts in syslog or auditd (only if auditd is installed) and operation will not be permitted.
2. Complain – In the complain mode, system doesn’t enforce any rules. It will only log the violation attempts.

Additional profiles can be found in apparmor-profiles package.

View Apparmor Status

You can view the current status of apparmor and all the profiles loaded as shown below:

$ sudo apparmor_status
apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode.
   /sbin/dhclient
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/mysqld
   /usr/sbin/tcpdump
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode.
   /sbin/dhclient (585)
   /usr/sbin/mysqld (799)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

If we check the above output we could see 5 profiles are in Enforce mode.

This also indicates that two processes are currently running in the enforce mode (because of the profiles). For example, /sbin/dhclient with PID of 585 is running in the enforce mode.

Change Profile Mode

To set a profile in complain mode, first install apparmor-utils package if it is not already installed.

apt-get install apparmor-utils

Use aa-complain command to set a profile in complain mode. For example, do the following to enable complain mode for mysqld.

$ sudo aa-complain /usr/sbin/mysqld
Setting /usr/sbin/mysqld to complain mode.

Now when you execute the apparmor_status, you’ll see the mysqld in complain mode.

$ sudo apparmor_status
apparmor module is loaded.
5 profiles are loaded.
4 profiles are in enforce mode.
   /sbin/dhclient
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/tcpdump
1 profiles are in complain mode.
   /usr/sbin/mysqld
2 processes have profiles defined.
1 processes are in enforce mode.
   /sbin/dhclient (585)
1 processes are in complain mode.
   /usr/sbin/mysqld (799)
0 processes are unconfined but have a profile defined.

You can change the profile back to enforce mode using aa-enforce command as shown below.

$ sudo aa-enforce /usr/sbin/mysqld
Setting /usr/sbin/mysqld to enforce mode.

AppArmor Profile Files

AppArmor profiles are text files located under /etc/apparmor.d/ directory.

The files are named after the full path to the executable they profile, but replacing the “/” with “.”.

For example, ping command is located in /bin/ping. The equivalent AppArmor profile file will be named as bin.ping

The following is the Apparmor profile file for usr.sbin.mysqld. /usr/sbin/mysqld is absolute path of the binary where this profile gets applied.

# cat usr.sbin.mysqld
# vim:syntax=apparmor
# Last Modified: Tue Jun 19 17:37:30 2007
#include <tunables/global>
/usr/sbin/mysqld {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>
  #include <abstractions/mysql>
  #include <abstractions/winbind>
  capability dac_override,
  capability sys_resource,
  capability setgid,
  capability setuid,
  network tcp,
  /etc/hosts.allow r,
  /etc/hosts.deny r,
  /etc/mysql/*.pem r,
  /etc/mysql/conf.d/ r,
  /etc/mysql/conf.d/* r,
  /etc/mysql/*.cnf r,
  /usr/lib/mysql/plugin/ r,
  /usr/lib/mysql/plugin/*.so* mr,
  /usr/sbin/mysqld mr,
  /usr/share/mysql/** r,
  /var/log/mysql.log rw,
  /var/log/mysql.err rw,
  /var/lib/mysql/ r,
  /var/lib/mysql/** rwk,
  /var/log/mysql/ r,
  /var/log/mysql/* rw,
  /var/run/mysqld/mysqld.pid rw,
  /var/run/mysqld/mysqld.sock w,
  /run/mysqld/mysqld.pid rw,
  /run/mysqld/mysqld.sock w,
  /sys/devices/system/cpu/ r,
  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.mysqld>
}

In a profile file, comments always proceed with # sign. #include lines loads the file.

The following are the different types of rules that are used in profiles.

1. Path entries: This has information on which files the application is allowed to access.
2. Capability entries: determines the privileges a confined process is allowed to use.
3. Network entries: determines the connection-type. For example: tcp. For a packet-analyzer network can be raw or packet etc.

Within the curly braces {} we have other include statements and also includes access permissions/modes [read(r)/write (w)/execute (x) (k) lock (requires r or w, AppArmor 2.1 and later)] to various files and directories, which includes regex globbing the include statements with in curly braces {} help to load components of Novell AppArmor profiles.

Disable AppArmor

If some process are working as expected, and if you like to debug whether apparmor profiles are the reason for that, you might want to temporarily disable apparmor for debugging.

# /etc/init.d/apparmor stop
 * Clearing AppArmor profiles cache  [OK]

Executing the above command will only clear the profiles cache. In order to unload the profile run the following command.

# /etc/init.d/apparmor teardown
 * Unloading AppArmor profiles [OK]