Intro to Ubuntu Apparmor and How to Configure Apparmor Profiles

by Sandeep Krishnan on March 10, 2014

AppArmor is a Mandatory Access Control or MAC system.

It uses Linux Security Module to restrict programs. AppArmor sets up a collection of default application profiles to protect Linux services.

You can also protect any other applications running on your system by creating profile files yourself.

In Ubuntu, AppArmor is installed and enabled by default. The apparmor profiles get loaded when system starts.

AppArmor operates in the following two types of profile modes:

  1. Enforce – In the enforce mode, system begins enforcing the rules and report the violation attempts in syslog or auditd (only if auditd is installed) and operation will not be permitted.
  2. Complain – In the complain mode, system doesn’t enforce any rules. It will only log the violation attempts.

Additional profiles can be found in apparmor-profiles package.

View Apparmor Status

You can view the current status of apparmor and all the profiles loaded as shown below:

$ sudo apparmor_status
apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode.
   /sbin/dhclient
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/mysqld
   /usr/sbin/tcpdump
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode.
   /sbin/dhclient (585)
   /usr/sbin/mysqld (799)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

If we check the above output we could see 5 profiles are in Enforce mode.

This also indicates that two processes are currently running in the enforce mode (because of the profiles). For example, /sbin/dhclient with PID of 585 is running in the enforce mode.

Change Profile Mode

To set a profile in complain mode, first install apparmor-utils package if it is not already installed.

apt-get install apparmor-utils

Use aa-complain command to set a profile in complain mode. For example, do the following to enable complain mode for mysqld.

$ sudo aa-complain /usr/sbin/mysqld
Setting /usr/sbin/mysqld to complain mode.

Now when you execute the apparmor_status, you’ll see the mysqld in complain mode.

$ sudo apparmor_status
apparmor module is loaded.
5 profiles are loaded.
4 profiles are in enforce mode.
   /sbin/dhclient
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/tcpdump
1 profiles are in complain mode.
   /usr/sbin/mysqld
2 processes have profiles defined.
1 processes are in enforce mode.
   /sbin/dhclient (585)
1 processes are in complain mode.
   /usr/sbin/mysqld (799)
0 processes are unconfined but have a profile defined.

You can change the profile back to enforce mode using aa-enforce command as shown below.

$ sudo aa-enforce /usr/sbin/mysqld
Setting /usr/sbin/mysqld to enforce mode.

AppArmor Profile Files

AppArmor profiles are text files located under /etc/apparmor.d/ directory.

The files are named after the full path to the executable they profile, but replacing the “/” with “.”.

For example, ping command is located in /bin/ping. The equivalent AppArmor profile file will be named as bin.ping

The following is the Apparmor profile file for usr.sbin.mysqld. /usr/sbin/mysqld is absolute path of the binary where this profile gets applied.

# cat usr.sbin.mysqld
# vim:syntax=apparmor
# Last Modified: Tue Jun 19 17:37:30 2007
#include <tunables/global>
/usr/sbin/mysqld {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>
  #include <abstractions/mysql>
  #include <abstractions/winbind>
  capability dac_override,
  capability sys_resource,
  capability setgid,
  capability setuid,
  network tcp,
  /etc/hosts.allow r,
  /etc/hosts.deny r,
  /etc/mysql/*.pem r,
  /etc/mysql/conf.d/ r,
  /etc/mysql/conf.d/* r,
  /etc/mysql/*.cnf r,
  /usr/lib/mysql/plugin/ r,
  /usr/lib/mysql/plugin/*.so* mr,
  /usr/sbin/mysqld mr,
  /usr/share/mysql/** r,
  /var/log/mysql.log rw,
  /var/log/mysql.err rw,
  /var/lib/mysql/ r,
  /var/lib/mysql/** rwk,
  /var/log/mysql/ r,
  /var/log/mysql/* rw,
  /var/run/mysqld/mysqld.pid rw,
  /var/run/mysqld/mysqld.sock w,
  /run/mysqld/mysqld.pid rw,
  /run/mysqld/mysqld.sock w,
  /sys/devices/system/cpu/ r,
  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.mysqld>
}

In a profile file, comments always proceed with # sign. #include lines loads the file.

The following are the different types of rules that are used in profiles.

  1. Path entries: This has information on which files the application is allowed to access.
  2. Capability entries: determines the privileges a confined process is allowed to use.
  3. Network entries: determines the connection-type. For example: tcp. For a packet-analyzer network can be raw or packet etc.

Within the curly braces {} we have other include statements and also includes access permissions/modes [read(r)/write (w)/execute (x) (k) lock (requires r or w, AppArmor 2.1 and later)] to various files and directories, which includes regex globbing the include statements with in curly braces {} help to load components of Novell AppArmor profiles.

Disable AppArmor

If some process are working as expected, and if you like to debug whether apparmor profiles are the reason for that, you might want to temporarily disable apparmor for debugging.

# /etc/init.d/apparmor stop
 * Clearing AppArmor profiles cache  [OK]

Executing the above command will only clear the profiles cache. In order to unload the profile run the following command.

# /etc/init.d/apparmor teardown
 * Unloading AppArmor profiles [OK]

Linux Sysadmin Course Linux provides several powerful administrative tools and utilities which will help you to manage your systems effectively. If you don’t know what these tools are and how to use them, you could be spending lot of time trying to perform even the basic administrative tasks. The focus of this course is to help you understand system administration tools, which will help you to become an effective Linux system administrator.
Get the Linux Sysadmin Course Now!

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 2 comments… read them below or add one }

1 Dariusz March 11, 2014 at 4:40 am

thank you for this article.
I wasn’t aware that it is loaded by default, although it shouldn’t be surprise as Fedora does it the same with Selinux.
I will now try to disable it on my low spec old PC to see if I gain some more resources.
I wander from with Ubuntu version it is enabled by default and whether Lubuntu and Xubuntu follow the same rule?

2 Jim C. June 19, 2014 at 1:09 pm

Question: If /usr/sbin/mysqld turns out to be a shell script instead of a binary, do you target the binary or the shell script? Trying to set up for Thunderbird now but:

user@machine:~$ ls /usr/lib/thunderbird/thunderbird*
/usr/lib/thunderbird/thunderbird /usr/lib/thunderbird/thunderbird.sh
user@machine:~$

Which one? Both? In theory someone else could fire up TBird without the script or with a different script.

Leave a Comment

Previous post:

Next post: